CN112105015B - Secondary authentication method and device - Google Patents

Secondary authentication method and device Download PDF

Info

Publication number
CN112105015B
CN112105015B CN201910522598.3A CN201910522598A CN112105015B CN 112105015 B CN112105015 B CN 112105015B CN 201910522598 A CN201910522598 A CN 201910522598A CN 112105015 B CN112105015 B CN 112105015B
Authority
CN
China
Prior art keywords
authentication
identity
network
terminal device
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910522598.3A
Other languages
Chinese (zh)
Other versions
CN112105015A (en
Inventor
雷中定
王海光
康鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210997886.6A priority Critical patent/CN115835218A/en
Priority to CN201910522598.3A priority patent/CN112105015B/en
Priority to EP20827832.5A priority patent/EP3955613A4/en
Priority to PCT/CN2020/088907 priority patent/WO2020253408A1/en
Publication of CN112105015A publication Critical patent/CN112105015A/en
Priority to US17/532,757 priority patent/US20220086145A1/en
Application granted granted Critical
Publication of CN112105015B publication Critical patent/CN112105015B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/76Group identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application provides a method and a device for secondary authentication, wherein the method comprises the following steps: a core network functional entity acquires an identity of a first terminal device, wherein the identity of the first terminal device is an identity of a first network; the core network functional entity sends the identity of the first terminal device to an authentication device in a second network, wherein the identity of the first terminal device is used for determining the identity of the second network for performing secondary authentication on a first user, and the identity of the first user is different from the identity of the first terminal device. In the above technical solution, the core network functional entity may send the identity of the first terminal device to the authentication device in the second network, and the identity of the first user may be determined by the identity of the first terminal device, and the implicit sending of the identity of the first user may enhance the security protection of the identity of the user in the secondary authentication process.

Description

Secondary authentication method and device
Technical Field
The present application relates to the field of communications, and more particularly, to a method and apparatus for secondary authentication.
Background
With the rapid development of communication technology, in order to meet the demand of user diversity, many network slices can be deployed in an operator network to meet the demands of different applications and different vertical industries. The terminal device needs to be bi-directionally authenticated with and authorized to access the network and/or network slice before being allowed to access the network or network slice.
Currently, a 3rd generation partnership project (3 GPP) network may simultaneously support a primary authentication mechanism and a secondary authentication mechanism, where the primary authentication mechanism is authentication between a terminal device and an operator network, and the secondary authentication is authentication between the terminal device (or a user using the terminal device) and a third-party network.
In the secondary authentication process, the third-party network needs to acquire the identity of the user, but the identity of the user is usually requested by the operator network to the terminal device and then forwarded to the third-party network, and there is a risk of leakage in the whole process of sending the identity of the user.
Disclosure of Invention
The application provides a secondary authentication method and a secondary authentication device, which can enhance the safety protection of the identity of a user in the secondary authentication process.
In a first aspect, a method for secondary authentication is provided, which includes: a core network functional entity acquires an identity of a first terminal device, wherein the identity of the first terminal device is an identity of a first network; the core network functional entity sends the identity of the first terminal device to authentication equipment in a second network, wherein the identity of the first terminal device is used for determining the identity of the second network for performing secondary authentication on a first user, and the identity of the first user is different from the identity of the first terminal device.
In the technical scheme provided by the embodiment of the application, the core network functional entity sends the identity of the first terminal device to the authentication device in the second network, and the identity of the first terminal device is used for determining the identity of the second network for the second-level authentication of the first user, so that the core network functional entity does not need to directly send the identity of the first user for the second-level authentication to the authentication device in the second network.
Further, in the prior art, the identity of the first user is sent to the first terminal device through the core network function entity, and the first terminal device sends the identity of the first user to the core network function entity in a request response.
With reference to the first aspect, in a possible implementation manner, the sending, by the core network function entity, the identity of the first terminal device to an authentication device in a second network includes: the core network functional entity sends a secondary authentication request to the authentication equipment in the second network, wherein the secondary authentication request comprises the identity of the first terminal equipment but does not comprise the identity of the first user; and, the method further comprises: and the core network functional entity receives a secondary authentication response message sent by authentication equipment in the second network, wherein the secondary authentication response message is used for indicating the first terminal equipment and the second network to perform secondary authentication on the first user.
With reference to the first aspect, in a possible implementation manner, the method further includes: the core network functional entity sends a first message to the first terminal device, wherein the first message is used for requesting the identity of the first user; the core network functional entity receives a second message sent by the first terminal equipment; and when the second message does not comprise the identity of the first user, the core network functional entity performs secondary authentication on the first user according to the identity of the first terminal equipment.
In the embodiment of the application, the core network functional entity needs to request the first terminal device for the identity of the first user, but the first terminal device may not send the identity of the first user to the core network function, and the core network functional entity may obtain the identity of the first terminal device, so that the core network functional entity may perform secondary authentication on the first user according to the identity of the first terminal device, and send the identity of the first user through an out-of-band implicit expression, thereby enhancing the security protection of the identity of the first user, being capable of protecting the identity of the first user more efficiently and effectively, and being compatible with the secondary authentication processes of new terminal devices and old terminal devices.
With reference to the first aspect, in a possible implementation manner, the method further includes: before performing secondary authentication on the first user, the core network functional entity obtains capability information of the first terminal device, where the capability information of the first terminal device is used to indicate that the core network functional entity can perform secondary authentication on the first user according to the identity of the first terminal device.
In the embodiment of the application, the core network functional entity sends the capability information of the first terminal device to the core network function before performing the secondary authentication on the first terminal device, and the core network functional entity can determine that the identity of the first user may not be requested from the first terminal device according to the capability information of the first terminal device. The core network functional entity can acquire the identity of the first terminal device, and thus, the core network functional entity can perform secondary authentication on the first user according to the identity of the first terminal device and send the identity of the first user by an out-of-band implicit mode, so that the safety protection of the identity of the first user is enhanced, the identity of the first user can be protected more efficiently and effectively, and meanwhile, the secondary authentication process of new terminal devices and old terminal devices can be compatible.
Further, the secondary authentication method provided by the embodiment of the present application can save a message for requesting the first terminal device for the identity of the first user, thereby improving the efficiency of signaling and data interaction in the network, optimizing the secondary authentication process, optimizing network resources, and reducing the waste of network resources.
With reference to the first aspect, in a possible implementation manner, the capability information of the first terminal device is carried in a registration request message during a primary authentication process between the first terminal device and the first network.
The capability information of the first terminal equipment is carried outside the secondary authentication process, so that network resources can be saved, and the utilization rate of the existing network resources is improved.
With reference to the first aspect, in a possible implementation manner, the identity of the first terminal device corresponds to an identity of the second network that performs secondary authentication on multiple users, where the identities of the multiple users include an identity of the first user, and the method further includes: and the core network functional entity acquires a first indication, wherein the first indication is used for determining the identity of the first user in the identities of the plurality of users.
With reference to the first aspect, in a possible implementation manner, the method further includes: and the core network functional entity selects a first authentication method for the secondary authentication, wherein the first authentication method is supported by both the first terminal equipment and the authentication equipment in the second network.
In the embodiment of the application, the core network function entity selects the authentication method supported by both the first terminal device and the authentication device in the second network, and sends the authentication method to the authentication device in the second network as the authentication method negotiated between the first terminal device and the authentication device in the second network, which is equivalent to that the core network function entity and the first terminal device complete the negotiation process of the authentication algorithm without negotiating between the first terminal device and the authentication device in the second network, so that the interaction process of the message can be shortened, the time delay is reduced, and the network resources are saved.
With reference to the first aspect, in a possible implementation manner, the selecting, by the core network function entity, a first authentication method for the secondary authentication includes: the core network functional entity acquires a first authentication method set and a second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment, and the second authentication method set comprises an authentication method preferred by the authentication equipment in the second network; the core network functional entity determines the first authentication method according to the first authentication method set and the second authentication method set, wherein the first authentication method is an authentication method which is preferred by both the first terminal device and the authentication device in the second network; and the core network functional entity sends the first authentication method to the authentication equipment in the second network.
With reference to the first aspect, in a possible implementation manner, the second set of authentication methods is stored in the core network function entity, and/or the first set of authentication methods is stored in the first terminal device and/or the core network function entity.
With reference to the first aspect, in a possible implementation manner, the method further includes: the core network acquires a first authentication method set and a second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment, and the second authentication method set comprises an authentication method preferred by authentication equipment in the second network; when the first authentication method set and the second authentication method set do not intersect, the core network sends the first authentication method set or a second indication to the authentication device in the second network, wherein the second indication is used for indicating the authentication device in the second network to perform authentication method negotiation with the first terminal device.
When the first authentication method set and the second authentication method set do not intersect, the authentication device in the second network can select the authentication method which can be supported by the authentication device in the second network by providing the authentication device in the second network with the authentication method list which is preferred by the first terminal device, and the process and the time delay of negotiation interaction with the first terminal device are reduced.
In a second aspect, a method for secondary authentication is provided, which includes: receiving an identity identifier of first terminal equipment sent by a core network functional entity, wherein the identity identifier of the first terminal equipment is an identifier of a first network; determining the identity of the first user according to the identity of the first terminal device and a mapping relation between the identity of the first terminal device and an identity of a second network for performing secondary authentication on the first user, wherein the identity of the first user is different from the identity of the first terminal device; and performing secondary authentication on the first user according to the identity of the first user.
In the embodiment of the application, the authentication device in the second network can determine the identity of the first user through the identity of the first terminal device and the mapping relationship between the identity of the first terminal device and the identity of the first user, so that the core network functional entity does not need to request the identity of the first user from the first terminal device, the security protection of the identity of the first user can be improved by implicitly sending the identity of the first user, and the risk of identity leakage of the user is reduced or eliminated.
With reference to the second aspect, in a possible implementation manner, the receiving an identity of a first terminal device sent by a core network function entity includes: receiving a secondary authentication request sent by the core network functional entity, wherein the secondary authentication request includes the identity of the first terminal device but does not include the identity of the first user; the performing secondary authentication on the first user according to the identity of the first user comprises: and sending a secondary authentication response message to the core network functional entity, wherein the secondary authentication response message is used for indicating the first terminal equipment and the second network to perform secondary authentication on the first user.
With reference to the second aspect, in a possible implementation manner, the identity of the first terminal device corresponds to an identity of the second network that performs secondary authentication on multiple users, where the identities of the multiple users include an identity of the first user, and the method further includes: receiving a first indication sent by a core network function entity, wherein the first indication is used for determining the identity of the first user in the identities of the plurality of users.
With reference to the second aspect, in a possible implementation manner, the method further includes: receiving a first authentication method sent by a core network functional entity, wherein the first authentication method is supported by both the first terminal device and authentication devices in the second network; and performing secondary authentication on the first user according to the first authentication method.
With reference to the second aspect, in a possible implementation manner, the method further includes: receiving a first authentication method set sent by a core network function entity, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment; selecting a second authentication method from the first authentication method set, wherein the second authentication method is an authentication method supported by authentication equipment in the second network; and performing secondary authentication on the first user according to the second authentication method.
With reference to the second aspect, in a possible implementation manner, the method further includes: and receiving a second instruction sent by a core network function entity, wherein the second instruction is used for instructing the authentication equipment in the second network to perform authentication method negotiation with the first terminal equipment.
In a third aspect, a method for secondary authentication is provided, comprising: establishing a mapping relation between an identity of a first terminal device and an identity of a second network for performing secondary authentication on a first user, wherein the identity of the first terminal device is an identity of the first network; and sending the identity of the first terminal device to a core network function entity, or sending the identity of the first terminal device and a first indication to the core network function entity, wherein the first indication is used for determining the identity of the first user in the identities of a plurality of users in the second network for secondary authentication.
With reference to the third aspect, in a possible implementation manner, the method further includes: before performing secondary authentication on the first user, sending capability information of the first terminal device to the core network function entity, where the capability information of the first terminal device is used to indicate that the core network function entity can perform secondary authentication on the first user according to the identity of the first terminal device.
With reference to the third aspect, in a possible implementation manner, the method further includes: and sending a first authentication method set to the core network function entity, wherein the first authentication method set comprises the authentication methods preferred by the first terminal equipment.
In a fourth aspect, a method for secondary authentication is provided, including: a core network functional entity selects a first authentication method for secondary authentication, wherein the first authentication method is supported by both first terminal equipment and authentication equipment in a second network; and the core network functional entity sends the first authentication method to authentication equipment in a second network.
In the embodiment of the application, the core network function entity selects the authentication method supported by both the first terminal device and the authentication device in the second network, and sends the authentication method to the authentication device in the second network as the authentication method negotiated between the first terminal device and the authentication device in the second network, which is equivalent to that the core network function entity and the first terminal device complete the negotiation process of the authentication algorithm without negotiating between the first terminal device and the authentication device in the second network, so that the interaction process of the message can be shortened, the time delay is reduced, and the network resources are saved.
With reference to the fourth aspect, in a possible implementation manner, the selecting, by the core network functional entity, a first authentication method for the secondary authentication includes: the core network functional entity acquires a first authentication method set and a second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment, and the second authentication method set comprises an authentication method preferred by the authentication equipment in the second network; and the core network functional entity determines the first authentication method according to the first authentication method set and the second authentication method set, wherein the first authentication method is an authentication method which is preferred by both the first terminal equipment and the authentication equipment in the second network.
With reference to the fourth aspect, in a possible implementation manner, the second set of authentication methods is stored in the core network function entity, and/or the first set of authentication methods is stored in the first terminal device and/or the core network function entity.
With reference to the fourth aspect, in a possible implementation manner, the method further includes: the core network functional entity acquires a first authentication method set and a second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment, and the second authentication method set comprises an authentication method preferred by the authentication equipment in the second network; when the first authentication method set and the second authentication method set do not intersect, the core network functional entity sends the first authentication method set or a second indication to the authentication device in the second network, wherein the second indication is used for indicating the authentication device in the second network to perform authentication method negotiation with the first terminal device.
With reference to the fourth aspect, in a possible implementation manner, the selecting, by the core network functional entity, a first authentication method for the secondary authentication includes: the core network functional entity sends a second authentication method set to the first terminal equipment, wherein the second authentication method set comprises authentication methods preferred by authentication equipment in the second network; and the core network functional entity receives a first authentication method set determined by the first terminal equipment according to the second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment.
With reference to the fourth aspect, in a possible implementation manner, the first set of authentication methods includes a plurality of authentication methods including the first authentication method, and the method further includes: and the core network functional entity determines the first authentication method according to the first authentication method set.
In a fifth aspect, an apparatus is provided that includes means for performing the method of the first aspect or any one of its possible implementations; or the apparatus comprises means or units for performing the method of any of the fourth aspect or the fourth possible implementation manner.
In a sixth aspect, an apparatus is provided that includes means for performing the method of the second aspect or any one of its possible implementations.
In a seventh aspect, an apparatus is provided that includes means or elements for performing the method of the third aspect or any one of its possible implementations.
In an eighth aspect, a communication device is provided, which may be the core network functional entity in the above method design, or a chip disposed in the core network functional entity. The communication device includes: a processor, coupled to the memory, and configured to execute the instructions in the memory to implement the method performed by the core network functional entity in the first aspect and any one of the possible implementations thereof, or the method performed by the core network functional entity in the fourth aspect and any one of the possible implementations thereof. Optionally, the communication device further comprises a memory. Optionally, the communication device further comprises a communication interface, the processor being coupled to the communication interface.
When the communication device is a core network functional entity, the communication interface may be a transceiver, or an input/output interface.
When the communication device is a chip configured in a core network functional entity, the communication interface may be an input/output interface.
In a ninth aspect, a communication apparatus is provided, which may be an authentication device in the second network in the above method design, or a chip provided in the authentication device in the second network. The device includes: a processor, coupled to the memory, and configured to execute the instructions in the memory to implement the method performed by the access network device in the second aspect and any one of the possible implementations thereof. Optionally, the apparatus further comprises a memory. Optionally, the communication device further comprises a communication interface, the processor being coupled to the communication interface.
When the communication device is an authentication apparatus in the second network, the communication interface may be a transceiver, or an input/output interface.
When the communication means is a chip configured in the authentication device in the second network, the communication interface may be an input/output interface.
In a tenth aspect, a communication apparatus is provided, which may be the first terminal device in the above method design, or a chip disposed in the first terminal device. The device includes: a processor, coupled to the memory, and configured to execute the instructions in the memory to implement the method performed by the first terminal device in the third aspect and any one of the possible implementations of the third aspect, or optionally, the communication apparatus further includes the memory. Optionally, the communication device further comprises a communication interface, the processor being coupled to the communication interface.
When the communication device is a first terminal device, the communication interface may be a transceiver, or an input/output interface.
When the communication device is a chip configured in the first terminal equipment, the communication interface may be an input/output interface.
In an eleventh aspect, a computer-readable storage medium is provided, which has instructions stored therein, and when the instructions are executed on a computer, the instructions cause the computer to perform any one of the methods of the first to fourth aspects and possible implementations thereof.
In a twelfth aspect, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform any of the methods of the first to fourth aspects and their possible implementations described above.
In a thirteenth aspect, a communication system is provided, where the communication system includes the core network function entity, the authentication device in the second network, and the first terminal device.
Drawings
FIG. 1 is a schematic diagram of a network system architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating an authentication process between a terminal device and a network according to an embodiment of the present application;
FIG. 3 is a schematic flow chart diagram of a method of secondary authentication provided by one embodiment of the present application;
FIG. 4 is a schematic flow chart diagram of a method of secondary authentication provided by another embodiment of the present application;
FIG. 5 is a schematic flow chart diagram of a method of secondary authentication provided by another embodiment of the present application;
FIG. 6 is a schematic flow chart diagram of a method of secondary authentication provided by yet another embodiment of the present application;
FIG. 7 is a schematic flow chart diagram of a method of secondary authentication provided by yet another embodiment of the present application;
FIG. 8 is a schematic flow chart diagram of a method of secondary authentication provided by yet another embodiment of the present application;
FIG. 9 is a schematic flow chart diagram of a method of secondary authentication provided by yet another embodiment of the present application;
FIG. 10 is a schematic flow chart diagram of a method of secondary authentication provided by yet another embodiment of the present application;
FIG. 11 is a schematic flow chart diagram of a method of secondary authentication provided by yet another embodiment of the present application;
FIG. 12 is a schematic flow chart diagram of a method for secondary authentication provided by yet another embodiment of the present application;
FIG. 13 is a schematic block diagram of an apparatus provided by one embodiment of the present application;
FIG. 14 is a schematic block diagram of a communications device provided in one embodiment of the present application;
FIG. 15 is a schematic block diagram of an apparatus provided in another embodiment of the present application;
fig. 16 is a schematic structural diagram of a communication apparatus provided in another embodiment of the present application;
FIG. 17 is a schematic block diagram of an apparatus provided in accordance with yet another embodiment of the present application;
fig. 18 is a schematic structural diagram of a communication apparatus according to still another embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
The technical scheme of the embodiment of the application can be applied to various communication systems, for example: a global system for mobile communication (GSM) system, a Code Division Multiple Access (CDMA) system, a Wideband Code Division Multiple Access (WCDMA) system, a General Packet Radio Service (GPRS), a long term evolution (long term evolution, LTE) system, a LTE Frequency Division Duplex (FDD) system, a LTE Time Division Duplex (TDD) system, a universal mobile telecommunication system (universal mobile telecommunication system, UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5G) system or a new radio system (UMTS), and a sixth generation (future) communication system.
The portion of the various communication systems operated by the operator may be referred to as the operator network. The operator network, which may also be referred to as a Public Land Mobile Network (PLMN) network, is a network established and operated by a government or an authorized operator thereof for the purpose of providing terrestrial mobile communication services to the public, and is mainly a public network in which a Mobile Network Operator (MNO) provides mobile broadband access services to users. The operator network or the PLMN network described in the embodiment of the present application may specifically be a network meeting the requirements of the third generation partnership project (3 GPP) standard, which is referred to as a 3GPP network for short. Generally, the 3GPP network is operated by an operator, and includes, but is not limited to, a fifth-generation mobile communication (5G) network (abbreviated as 5G network), a fourth-generation mobile communication (4th-generation, 4G) network (abbreviated as 4G network), a third-generation mobile communication technology (3rd-generation, 3G) network (abbreviated as 3G network), and a second-generation wireless telephone technology (2nd-generation wireless telephone technology, 2G) network (abbreviated as 2G network). For convenience of description, in the embodiment of the present application, an operator network (i.e., MNO network) will be taken as an example for explanation.
With the expansion of mobile bandwidth access services, MNO networks will also develop to better support diversified business models, meeting the requirements of more diversified application services and more industries. In order to provide better and more sophisticated services for more industries, next generation networks (i.e., 5G networks) have also been adjusted in network architecture relative to 4G networks. For example, the 5G network splits a Mobility Management Entity (MME) in the 4G network into a plurality of network functions including an access and mobility management function (AMF) and a Session Management Function (SMF).
Fig. 1 shows a schematic diagram of a network architecture according to an embodiment of the present application, taking a 5G network architecture based on a service architecture defined in a 3GPP standardization process as an example, as shown in fig. 1, the network architecture may include three parts, which are a terminal device part, an operator network, and a Data Network (DN).
The terminal device portion includes terminal device 110, and terminal device 110 may also be referred to as User Equipment (UE). The terminal device 110 in this embodiment is a device having a wireless transceiving function, and may communicate with one or more Core Networks (CNs) through AN access network device in AN Access Network (AN) 140. Terminal device 110 may also be referred to as an access terminal, subscriber unit, subscriber station, mobile, remote station, remote terminal, mobile device, user terminal, wireless network device, user agent, or user equipment, etc. Terminal device 110 may be deployed on land, including indoors or outdoors, hand-held or vehicle-mounted; can also be deployed on the water surface (such as a ship and the like); and may also be deployed in the air (e.g., airplanes, balloons, satellites, etc.). Terminal device 110 may be a cellular telephone (cellular telephone), a cordless telephone, a Session Initiation Protocol (SIP) phone, a smart phone (smart phone), a cellular phone (mobile phone), a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), may be a handheld device with wireless communication capability, a computing device or other device connected to a wireless modem, a vehicle-mounted device, a wearable device, a drone device or internet of things, a terminal in the internet of vehicles, a terminal in any modality in a fifth generation mobile communication (5G) network and a future network, a relay user equipment, such as a 5G home gateway (RG), or a terminal in a Public Land Mobile Network (PLMN) for future evolution, and so on. For example, the terminal device 110 may be a Virtual Reality (VR) terminal, an Augmented Reality (AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid, a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), or the like. The embodiments of the present application do not limit this.
The operator network may include a network open function (NEF) 131, a network storage function (NRF) 132, a Policy Control Function (PCF) 133, a Unified Data Management (UDM) network element 134, AN Application Function (AF) 135, AN authentication server function (AUSF) 136, AN access and mobility management function (AMF) 137, a session management function (session management function, SMF)138, a user plane function (user plane function, UPF)139, and a (wireless) access network (access) network (R) 140, etc. In the operator network described above, the part other than the (radio) access network 140 part may be referred to as a Core Network (CN) part or a core network part. For convenience of description, in the embodiment of the present application, the (R) AN 140 is taken as AN example of the RAN.
The data network DN120, which may also be referred to as a Packet Data Network (PDN), is typically a network located outside the operator's network, such as a third party network. The operator network may access a plurality of data network DNs 120, and a plurality of services may be deployed on the data network DNs 120, and may provide services such as data and/or voice for the terminal device 110. For example, the data network DN120 may be a private network of an intelligent factory, the sensors installed in the intelligent factory may be the terminal devices 110, and the data network DN120 deploys control servers of the sensors, which may provide services for the sensors. The sensor can communicate with the control server, obtain the instruction of the control server, transmit the sensor data gathered to the control server, etc. according to the instruction. For another example, the data network DN120 may be an internal office network of a company, and the mobile phone or computer of the employee of the company may be the terminal device 110, and the mobile phone or computer of the employee may access information, data resources, and the like on the internal office network of the company.
Terminal device 110 may establish a connection with the carrier network through an interface provided by the carrier network (e.g., N1, etc.), using data and/or voice services provided by the carrier network. Terminal device 110 may also access data network DN120 through the operator network, using operator services deployed on data network DN120, and/or services provided by third parties. The third party may be a service party other than the operator network and the terminal device 110, and may provide services such as other data and/or voice for the terminal device 110. The specific expression form of the third party may be determined according to an actual application scenario, and is not limited herein.
A brief description of the network functions in the operator network follows.
The access network RAN 140 is a sub-network of the operator network and is an implementation system between a service node and the terminal device 110 in the operator network. Terminal device 110 accesses the operator network by first passing through RAN 140 and may then connect to a service node of the operator network through RAN 140. The access network device (RAN device) in this embodiment is a device that provides a wireless communication function for terminal device 110, and may also be referred to as a network device, where the RAN device includes but is not limited to: next generation base station node (eNB) in 5G system, evolved node B (eNB) in Long Term Evolution (LTE), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (e.g., home evolved node B, or home node B, HNB), Base Band Unit (BBU), transmission point (TRP), Transmission Point (TP), small base station equipment (pico), mobile switching center (mobile switching center), or network equipment in future network, etc. It should be understood that the specific type of access network device is not limited herein. In systems using different radio access technologies, the names of devices that function as access network devices may vary. For convenience of description, in all embodiments of the present application, the above-mentioned apparatus for providing a wireless communication function for the terminal device 110 is collectively referred to as an access network device.
The access and mobility management function AMF (also referred to as AMF network function or AMF network function entity) 137 is a control plane network function provided by the operator network and is responsible for access control and mobility management of the terminal device 110 accessing the operator network, including functions such as mobility state management, assigning temporary identities of users, authenticating and authorizing users, etc.
A session management function SMF (also referred to as SMF network function or SMF network function entity) 138 is a control plane network function provided by the operator network and is responsible for managing Protocol Data Unit (PDU) sessions of the terminal device 110. A PDU session is a channel for transmitting PDUs, which the end devices need to communicate with the data network DN120 through. The PDU session is responsible for establishment, maintenance, deletion, etc. by the SMF network function 138. The SMF network function 138 includes session-related functions such as session establishment, modification and release, including tunnel maintenance between the user plane function UPF 139 and the access network AN 140, selection and control of the UPF network function 139, Service and Session Continuity (SSC) mode selection, roaming, etc.
The user plane function UPF (which may also be referred to as a UPF network function or UPF network function entity) 139 is a gateway provided by the operator, which is a gateway for the operator's network to communicate with the data network DN 120. The UPF network function 139 includes user plane related functions such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, lawful interception, uplink packet detection, downlink packet storage, and the like.
The unified data management network element UDM (which may also be referred to as UDM network function or UDM network function entity) 134 is a control plane function provided by an operator and is responsible for storing information such as a subscriber permanent identifier (SUPI), a credential (trusted), a security context (security context), subscription data, and the like of a subscription subscriber in an operator network. The SUPI is encrypted during transmission, and the encrypted SUPI is called a hidden subscriber identifier (SUCI). Such information stored by the UDM network function 134 may be used for authentication and authorization of the terminal device 110 to access the operator's network. The subscriber of the operator network may be specifically a user using a service provided by the operator network, for example, a user using a mobile phone core card of china telecommunications, or a user using a mobile phone core card of china mobile, and the like. The permanent subscription identity SUPI of the subscriber may be the number of the core card of the mobile phone. The credentials and security context of the subscriber may be a small file stored in an encryption key of the core card of the mobile phone or information related to encryption of the core card of the mobile phone, and the small file is used for authentication and/or authorization. The security context may be data (cookie) or token (token) stored on the user's local terminal (e.g., cell phone), etc. The subscription data of the subscriber may be a service associated with the mobile phone core card, such as a traffic package or a network using the mobile phone core card. It should be noted that, for convenience of description, the permanent identifier, the credential, the security context, the authentication data (cookie), and the token-equivalent authentication and authorization-related information are not distinguished or limited in the embodiments of the present application. Unless otherwise specified, the embodiments of the present application will be described in the context of security, but the embodiments of the present application are also applicable to authentication, and/or authorization information in other expressions.
The authentication server function AUSF (which may also be referred to as an AUSF network function or AUSF network function entity) 136 is a control plane function provided by the operator and is typically used for a first level of authentication, i.e. authentication between the terminal device 110 (subscriber) and the operator network. After receiving the authentication request initiated by the subscriber, the AUSF network function 136 may authenticate and/or authorize the subscriber through the authentication information and/or authorization information stored in the UDM network function 134, or generate the authentication and/or authorization information of the subscriber through the UDM network function 134. The AUSF network function 136 may feed back authentication information and/or authorization information to the subscriber.
The network open function NEF (which may also be referred to as NEF network function or NEF network function entity) 131 is an operator provided control plane function. The NEF network function 131 opens an external interface of the operator network to a third party in a secure manner. When SMF network function 138 needs to communicate with a third party's network function, NEF network function 131 may act as a relay for SMF network function 138 to communicate with the third party's network entity. NEF network function 131, when acting as a relay, may act as a translation of the subscriber's identification information, as well as a translation of the third party's network function's identification information. For example, when the NEF network function 131 sends the SUPI of the subscriber from the carrier network to the third party, the SUPI may be translated into its corresponding external Identity (ID). Conversely, when the NEF network function 131 sends an external ID (a network entity ID of a third party) to the carrier network, it may translate it into SUPI.
The policy control function PCF (which may also be referred to as a PCF network function or PCF network function entity) 133 is a control plane function provided by the operator for providing policies for PDU sessions to the SMF network function 138. The policies may include charging related policies, QoS related policies, authorization related policies, and the like.
A Network Slice Selection Function (NSSF) (not shown) responsible for determining network slice instances, selecting AMF network function 137, etc.
In fig. 1, Nnef, Nausf, Nnrf, Npcf, numm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers. The meaning of these interface sequence numbers can be referred to the meaning defined in the 3GPP standard protocol, and is not limited herein. It should be noted that fig. 1 only illustrates the terminal device 110 as the UE, an interface name between each network function in fig. 1 is also only an example, and in a specific implementation, the interface name of the system architecture may be other names, which is not specifically limited in this embodiment of the present application.
The mobility management network function in the embodiment of the present application may be the AMF network function 137 shown in fig. 1, or may be another network function having the AMF network function 137 in a future communication system. Alternatively, the mobility management network function in the present application may also be a Mobility Management Entity (MME) in Long Term Evolution (LTE), and the like.
For convenience of description, in the embodiment of the present application, a mobility management network function is described as an example of the AMF network function 137. Further, the AMF network function 137 is abbreviated as AMF, and the terminal device 110 is referred to as UE, that is, the AMF described later in this embodiment of the present application may be replaced by a mobility management network function, and the UE may be replaced by the terminal device.
A network architecture (for example, a 5G network architecture) shown in fig. 1 adopts a service-based architecture and a general interface, a conventional network element function is split into a plurality of self-contained, self-managed, and reusable network function service modules based on a Network Function Virtualization (NFV) technology, a customized network function reconfiguration can be realized by flexibly defining a service module set, and a service flow is formed externally through a unified service call interface. The network architecture diagram shown in fig. 1 can be understood as a service-based 5G network architecture diagram in a non-roaming scenario. In the framework, different network functions are combined in order according to requirements of a specific scene, and customization of network capacity and service can be realized, so that special networks are deployed for different services, and 5G network slicing (network slicing) is realized. The network slicing technology can enable an operator to respond to customer requirements more flexibly and quickly, and flexible allocation of network resources is supported.
Network slicing is simply understood to be the cutting of an operator's physical network into a plurality of virtual end-to-end networks, where each virtual network, including devices, access, transport, and core networks within the network, is logically independent, and a failure of any one virtual network does not affect the other virtual networks. Currently, various scenarios place different requirements on the 3rd generation partnership project (3 GPP) ecosystem, such as charging, policy, security, mobility, etc. 3GPP emphasizes that network slices do not affect each other, for example, a large amount of bursty meter reading traffic should not affect normal mobile broadband traffic. In order to meet the diversity requirement and the isolation between slices, relatively independent management and operation and maintenance between services are required, and customized service functions and analysis capability are provided. Instances of different types of services may be deployed on different network slices, as may different instances of the same service type.
A slice in a 5G network is a virtual private network, which is made up of a set of network functions, sub-networks. For example, the sub-networks RAN 140, AMF network function 137, SMF network function 138, and UPF network function 139 in fig. 1 may form a slice. Each network function in fig. 1 is only schematically drawn as one, whereas in an actual network deployment there may be many, tens or hundreds of each network function or sub-network. Many network slices can be deployed in an operator network, and each slice can have different performance to meet the requirements of different applications and different vertical industries. The operator can tailor a slice according to the requirements of customers in different vertical industries. The operator can also allow some industry customers to have greater autonomy and participate in partial management and control functions of the slice. The slice-level authentication is a network control function participated by an industry client, namely, authentication and authorization are carried out on an access slice of a terminal user.
Still taking fig. 1 as an example, when the core network CN deploys the network slice and the UE110 needs to access a certain network slice, the UE110 may provide the requested network slice to the core network. The network slice requested by the UE110 may be represented by a requested network slice set, or may also be represented by requested network slice selection assistance information (requested NSSAI). The network slice set includes one or more network slices. The requested NSSAI is represented by one or more single network slice selection assistance information (S-NSSAI), and each S-NSSAI is used to identify a network slice type, and may also be understood as S-NSSAI is used to identify a network slice, or may be understood as S-NSSAI is identification information of a network slice. For convenience of understanding, in the following description, the embodiments of the present application do not strictly distinguish between "network slice" and "S-NSSAI", and the two may be equally applicable. The "network slice" in the embodiment of the present application may also be referred to as "slice" or "network slice example," and the three have the same meaning, which is described in a unified manner herein and will not be described in detail later.
After UE110 sends a registration request to the network, the core network function (e.g., AMF network function 137 or NSSF network function) selects a network slice set allowed to access for UE110 according to comprehensive judgment of subscription data of UE110, requested NSSAI of UE110, roaming agreement, local configuration, and other information. The set of network slices allowed to be accessed may be represented by allowed (allowed) NSSAIs, and all the allowed NSSAIs include S-NSSAIs that are allowed to be accessed by the current operator network.
UE110 may need to be bi-directionally authenticated with and authorized for the network and/or network slice before being allowed access to the network or network slice. Currently, in the 5G standard, the network directly performs authentication and authorization on the UE110, and this type of authentication and authorization method is called primary authentication (primary authentication).
With the development of the industry vertical and the internet of things, it is expected that a data network DN120 (e.g., a DN serving the industry vertical) outside the operator network will also have a need for authentication and authorization for a UE110 accessing the DN 120. For example, a business company provides a game platform to provide game services to game players via a carrier network. In one aspect, since the UE110 used by the player is accessed to the game platform through the operator network, the operator network needs to authenticate and authorize the UE110, i.e., primary authentication. The game player is a client of a business company, which also needs to authenticate and authorize the game player, and if the authentication is based on network slices, or the authentication is in units of slices, the authentication may be called slice authentication (slice authentication) or secondary authentication, or slice-specific authentication.
It should be noted that the primary authentication or the secondary authentication is for authentication between the UE110 (or a user using the UE 110) and a network (an operator network or a third party network). For example, for the primary authentication, it refers to authentication between the UE and the operator network, for example, the operator network performs the primary authentication on the UE110 in the registration process of the UE110, and if the primary authentication passes, the security context of the UE110 may be established. For another example, for secondary authentication, which refers to authentication between the UE110 (or a user using the UE 110) and a network other than the operator network (i.e., a third-party network), the third-party network may notify the operator network of the secondary authentication result, so that the operator network authorizes or denies the UE110 to access the operator network serving the third-party network.
It should be noted that, in the embodiment of the present application, the secondary authentication may also be referred to as secondary authentication for a slice, or slice authentication, or identity authentication for a user (a user using UE 110), which has the meaning that: the secondary authentication performed between the UE110 (or the user using the UE 110) and the third-party network determines whether the operator network authorizes the UE to access the slice. It should also be understood that the method applied to secondary authentication in the embodiment of the present application is also applicable to a session-based secondary authentication (secondary authentication) or a slice-based secondary authentication, and will not be described in detail herein.
Fig. 2 shows a schematic diagram of an authentication flow between a terminal device and a network. The authentication process between the terminal equipment and the network comprises a primary authentication process and a secondary authentication process, wherein the primary authentication process is an authentication process between the UE and the operator network, and the secondary authentication process is an authentication process between the UE or a user using the UE and a third-party network. In the embodiment of the present application, the description "secondary authentication process between the UE and the third-party network" may be understood as a secondary authentication process between a certain user using the UE and the third-party network. As shown in fig. 2, for example, the primary authentication procedure is an authentication procedure between the UE 210 and the core network CN 230, and the secondary authentication procedure is an authentication procedure between a user using the UE 210 and the data network DN 220, and both the primary authentication procedure and the secondary authentication procedure may be understood as being part of a registration procedure of the UE 110. For convenience of understanding and description, in the embodiment of the present application, an authentication device in the DN 220 is taken as an authentication, authorization, and accounting (AAA) server for example, the AAA server may be denoted as AAA-s (AAA server), and an AAA proxy function (AAA-F) network element may be located in the core network CN 230.
Referring to fig. 2, the main steps of the UE 210 registration procedure may be as follows:
step 1, the terminal equipment sends a registration request of accessing the network to the network and carries the identity information of the terminal equipment. For example, the UE 210 may send an access request to the AMF network function entity 237 in the core network CN 230, and carry identity information of the UE 210, such as encrypted identity information SUCI or temporary identity information, such as globally unique temporary identity identifier (GUTI).
And 2, the network judges whether to initiate primary authentication between the network and the terminal equipment according to the identity information of the terminal equipment, which is sent by the terminal equipment. For example, the AMF network function 237 may forward the encrypted identity information SUCI received from the UE 210 to the UDM network function 234, decrypt the SUCI by the UDM network function 234 to restore the true identity information SUPI of the UE 210, and then return the SUPI to the AMF network function 237. The AMF network function 237 initiates a primary authentication procedure between the network and the UE 210 according to the true identity SUPI of the UE 210.
And 3, after the primary authentication between the terminal equipment and the network is successful, the network can authorize the terminal equipment to allow the terminal equipment to access the operator network. Illustratively, after the primary authentication is successful, the AMF network function 237 authorizes the UE 210 to access the network.
After steps 1 to 3, the primary authentication process between the terminal device and the network may be considered to be completed. On the other hand, if the UE sends the temporary identity information GUTI in step 1, the AMF checks the GUTI validity on the network side in step 2, and if the GUTI validity indicates that the previous primary authentication is still valid, and the primary authentication is not needed.
And 4, judging whether the terminal equipment needs further secondary authentication by the network. Illustratively, the AMF network function 237 determines whether the slice to which the UE 210 applies for access needs further slice authentication (i.e. secondary authentication) according to information of the AMF network function 237 local or the UDM network function 234.
And step 5, if the terminal equipment needs to carry out secondary authentication, the network can trigger a secondary authentication flow between the terminal equipment and the data network DN. Illustratively, when the UE 210 needs to perform secondary authentication, the AMF network function 237 triggers a secondary authentication procedure between the UE 210 and the DN 220. In the embodiment of the present application, the secondary authentication is taken as an example of the slice authentication, and the slice authentication process may be based on an Extensible Authentication Protocol (EAP) standard established by the Internet Engineering Task Force (IETF), which is a standard organization, as a basic authentication mechanism. The EAP mechanism has great flexibility and can support dozens of specific EAP authentication methods.
It should be understood that, in the embodiment of the present application, the terminal device needs to perform the secondary authentication, which may be understood as that a certain user using the terminal device needs to perform the secondary authentication, and taking the secondary authentication as the slice authentication as an example, the UE 210 needs to perform the secondary authentication, which may be understood as that a certain user using the UE 210 needs to perform the secondary authentication.
And 6, finishing secondary authentication by multi-round signaling interaction between the terminal equipment and the data network, and informing the operator network of a secondary authentication result by the data network, so that the operator network continuously executes other processes according to the secondary authentication result, such as the rest registration process, the termination registration process or other related processes, which are not listed one by one. For example, taking secondary authentication as the slice authentication, when performing secondary authentication between a certain user of the UE 210 and the DN 220, slice authentication needs to be completed through multiple rounds of signaling interaction, where the DN 220 needs to obtain user identity information signed between the UE110 and the DN 220, that is, the identity information of the certain user using the UE 210 is referred to as DN User Identity (DUI) in this embodiment, for convenience of description, and in some embodiments, the user identity information may also be referred to as a user ID. The user ID used for the secondary authentication is subscription information of the terminal device with an external network other than the carrier network, which is not necessarily the case. Taking the example shown in fig. 2, UE 210 sends the DUI to AMF network function 237 in core network CN 230, AMF network function 237 may forward the DUI to an authentication device (for example, AAA-S221 shown in the figure) in DN 220, and the authentication device in DN 220 notifies the AMF network function 237 of the secondary authentication result after the secondary authentication is successful. It should be noted that, in some embodiments, the DUI information is sent to the AMF in a message container (container) and the container is directly forwarded to the DN by the AMF, so-called "transparent transmission". In this case, the AMF does not parse the DUI information in the container, i.e., the AMF does not know the DUI information of the user. Additionally, in some embodiments, the DUI may be forwarded from AMF network function 237 to an authentication device in DN 220 by AAA-F238. So far, the primary authentication process and the secondary authentication process between the terminal device and the network are completed, and the operator network can continue to perform other registration processes of the terminal device.
It was mentioned above that the secondary authentication procedure between the terminal device and the data network may be based on EAP authentication mechanisms, wherein EAP authentication mechanisms may support tens of specific EAP authentication methods. Different terminal devices can be different or the same for the supported EAP authentication methods of the same data network; the supportable EAP authentication methods of the same terminal device for different data networks can be different or the same; the EAP authentication methods that can be supported by different data networks may be different or the same. For a terminal device, the supportable EAP authentication method may be one or more; for a data network, the supportable EAP authentication method may be one or more. However, when performing the secondary authentication between the terminal device and the data network, an EAP authentication method supported by both the terminal device and the data network needs to be adopted. It should be understood that, in the embodiment of the present application, the EAP authentication method supported by the data network may also be understood as an EAP authentication method supported by an authentication device in the data network, and the two expressions are the same, and the embodiment of the present application is not strictly distinguished.
For example, taking an EAP-TLS (transport layer security) authentication method adopted between the terminal device and the data network as an example, a secondary authentication procedure between the terminal device and the data network is briefly described.
As shown below, the process of interaction between the authentication client and the authentication network is shown. The authentication client (Authenticating Peer) may be understood as the terminal device 110 in fig. 1 or the UE 210 in fig. 2, and the authentication network (Authenticating) may be understood as the AMF network function 137 in fig. 1 or the AMF 237 in fig. 2. In the following, only part of the process of the secondary authentication procedure between the terminal device and the data network is schematically shown, that is, the part of the process of the terminal device interacting with the operator network, and it should be understood that the secondary authentication procedure between the terminal device and the data network also includes the part of the process of the operator network interacting with the data network, for example, the process of the AMF network function interacting with the AAA server, etc.
Figure GDA0002190709840000141
Figure GDA0002190709840000151
It can be seen from the above interaction process between the authentication client and the authentication network, based on the EAP-TLS authentication method, four rounds of bidirectional signaling interactions are required between the authentication client and the authentication network to complete authentication. In the first round of signaling interaction in the authentication process, usually, the authentication network sends a user ID request message to the authentication client, and requests the authentication client to use the identity (e.g., UID or user ID) of a certain user of the authentication client, and after receiving the user ID request message, the authentication client reports its ID to the authentication network, and the authentication network forwards the user ID to the authentication device (e.g., AAA server) in the data network. In the whole process, the user ID is sent to the authentication network terminal by the authentication client terminal and then sent to the authentication equipment in the data network by the authentication network terminal, the safety protection problem of the user ID needs to be considered in the process of sending the user ID from the authentication client terminal to the authentication equipment in the data network, otherwise, the user ID has the risk of being leaked.
In the authentication method supported by the existing EAP authentication mechanism, the sending method of the user ID is different depending on the EAP authentication method used, for example, the user ID may use a plaintext sending method, a partial ID sending method, an anonymization protection sending method, an encryption sending method, and the like, and different EAP authentication methods may use different user ID sending methods. In order to protect the user ID and enhance the security of the user ID during transmission, different degrees of security enhancement need to be performed for different authentication methods. For example, for an authentication method that originally uses plaintext to transmit a user ID, it is necessary to consider that the user ID is protected and then transmitted, and for an authentication method that has already performed user ID security protection, no additional protection mechanism needs to be further introduced. In other words, the system needs to adopt different user ID transmission policy modification methods for different authentication methods, and the above-mentioned EAP authentication mechanism supports dozens of authentication methods, and if it needs to consider adopting different user ID transmission policy modification methods for different EAP authentication methods, the secondary authentication process will be more complicated to implement. Thus, more effective protection of the user ID is a problem to be solved.
The embodiment of the application provides a secondary authentication method, which can perform a secondary authentication process between a terminal device and a network in a manner of not directly sending a user ID, and can efficiently ensure the safety protection of the user ID. The following describes an embodiment of the present application in detail with reference to fig. 3.
Fig. 3 shows a schematic flow chart of a method of secondary authentication of an embodiment of the present application. The method 300 of fig. 3 may be performed by a core network function entity. The core network function entity may be, for example, the AMF network function entity 137 or the SMF network function entity 138 shown in fig. 1. The method 300 may include steps S310 through S340.
In step S310, the core network function entity obtains an identity of the first terminal device.
The identity of the first terminal device is the identity of the first network. The identity of the first terminal device may also be understood as an identity that the first network authenticates the first terminal device, or as an identity that the first network performs primary authentication on the first terminal device. In some embodiments, the identity of the first terminal device may be referred to as the UE ID.
Alternatively, the first network may be the above mentioned operator network, e.g. a 5G network, a 4G network, a 3G network, etc. The core network functional entity is a network functional entity in the first network, and in some embodiments, the core network functional entity may also be referred to as a core network element.
Alternatively, the core network functional entity may be an access and mobility management function AMF (also referred to as AMF network function) or a unified data management network element UDM (also referred to as UDM network function).
There are various ways for the core network functional entity to obtain the identity of the first terminal device.
As an example, the core network function entity may directly obtain the identity of the first terminal device from the first terminal device. For example, in step S310, the first terminal device may send the identity of the first terminal device to the core network function entity.
As another example, the core network function entity may indirectly obtain the identity of the first terminal device. For example, in step S310, the core network function entity includes a first core network function entity and a second core network function entity, the first terminal device sends the identity of the first terminal device to the first core network function entity, and the first core network function entity sends the identity of the first terminal device to the second core network function entity, where the second core network function entity obtains the identity of the first terminal device in an indirect manner.
As another example, the identity of the first terminal device may be directly stored in the core network function entity, and the core network function entity may obtain the identity of the first terminal device directly from its own storage device.
The identifier of the first terminal device may be represented in various forms, for example, the identifier of the first terminal device may be a user permanent identifier (SUPI) of a subscriber (i.e., the first terminal device) in the first network, a hidden user subscription identifier (sui), a Globally Unique Temporary Identifier (GUTI), or a publicly available subscription identifier (GPSI). The above listed identity of the first terminal device may be referred to as UE ID, and for the first terminal device, the SUPI of the first terminal device, the sui of the first terminal device, the GUTI of the first terminal device, and the GPSI of the first terminal device may all be used to uniquely identify the first terminal device, but the representation forms are different, and there is a corresponding relationship between the above. Alternatively, when the identity of the first terminal device is identified as a GPSI, the specific form of the GPSI may be defined by the first network.
For example, taking the identity of the first terminal device as the GPSI as an example, the process of the core network function entity acquiring the GPSI of the first terminal device may be as follows: the core network functional entity may first obtain the SUPI of the first terminal device, and then determine the GPSI of the first terminal device according to the SUPI of the first terminal device and the correspondence between the SUPI of the first terminal device and the GPSI of the first terminal device. In other words, the core network functional entity may map the acquired SUPI of the first terminal device to the GPSI of the first terminal device according to the mapping relationship between the SUPI and the GPSI.
Further, optionally, the core network function entity may first obtain the sui of the first terminal device, then decrypt the sui of the first terminal device to restore the sui to the SUPI of the first terminal device, and then determine the GPSI of the first terminal device according to the SUPI of the first terminal device and the correspondence between the SUPI of the first terminal device and the GPSI of the first terminal device.
For example, if the identity of the first terminal device is GPSI and the core network function entity is an AMF network function entity, the first terminal device may send the sui of the first terminal device to the AMF network function entity, the AMF network function entity sends the sui of the first terminal device to the UDM network function entity for decryption, the UDM network function entity may decode the sui of the first terminal device to reduce the sui to the SUPI of the first terminal device and send the SUPI of the first terminal device to the AMF network function entity, and the AMF network function entity maps the obtained SUPI of the first terminal device to the GPSI of the first terminal device, thereby obtaining the identity of the first terminal device. Of course, the process of mapping the SUPI of the first terminal device to the GPSI of the first terminal device may be completed by the UDM network function entity, that is, the UDM directly maps the SUPI of the first terminal device to the GPSI of the first terminal device after decoding and restoring the SUCI of the first terminal device to the SUPI of the first terminal device, and sends the GPSI of the first terminal device obtained after mapping to the AMF network function entity. In some embodiments, the SUPI of the first terminal device may be stored in the AMF network function entity or the UDM network function entity, the first terminal device may transmit indication information to the AMF network function entity or the UDM network function entity for indicating the SUPI of the first terminal device, and the AMF network function entity or the UDM network function entity may map the stored SUPI of the first terminal device corresponding to the indication information to the GPSI of the first terminal device.
The GPSI is adopted as the identity of the first terminal equipment, so that the privacy of the identity of the first terminal equipment can be ensured, the GPSI and the SUPI have a corresponding relation, and the relation is only known by an operator and is not disclosed to the outside, so that the privacy disclosure problem can not be caused when the GPSI is used for a public network and an external data network.
It should be understood that the above-mentioned core network function entity is only an example, the core network function entity may also be another network function entity, and mapping the SUPI of the first terminal device to the GPSI of the first terminal device may also be completed by another network function entity, which is not limited in this embodiment of the present application.
Optionally, the identity of the first terminal device may be obtained by the core network function entity in the process of performing primary authentication on the first terminal device, or the identity of the first terminal device may be obtained by the core network function entity through other procedures, which is not specifically limited in this embodiment of the application.
In step S320, the core network functional entity sends the identity of the first terminal device to the authentication device in the second network.
The identity of the first terminal device is used for determining the identity of the second network for performing secondary authentication on the first user. In this embodiment, an identity of the second network performing the secondary authentication on the first user may be understood as an identity of the first user, where the identity of the first user is different from the identity of the first terminal device. The identity of the first user may be understood as an identity of the second network or as an identity of a subscriber (i.e. the first user) in the second network. In other words, the identity of the first terminal device may be an identity of the first network performing primary authentication on the first terminal device, and the identity of the first user may be an identity of the second network performing secondary authentication on the first user.
It should be understood that the core network function entity sends the identity of the first terminal device to the authentication device in the second network, which may be understood as the core network function entity sending the identity of the first terminal device to the second network.
Optionally, the sending, by the core network function entity, the identity of the first terminal device to the authentication device in the second network includes: the core network functional entity sends a secondary authentication request to the authentication equipment in the second network, wherein the secondary authentication request comprises the identity of the first terminal equipment but does not comprise the identity of the first user. In other words, the identity of the first terminal device may be included in the secondary authentication request, and the core network functional entity may send only the identity of the first terminal device to the authentication device in the second network, without sending the identity of the first user.
Alternatively, the second network may be a data network DN, and the authentication device in the second network may be an AAA server (or AAA-S).
In step S330, the authentication device in the second network determines the identity of the first user according to the identity of the first terminal device and the mapping relationship between the identity of the first terminal device and the identity of the second network performing secondary authentication on the first user.
In this embodiment of the application, the authentication device in the second network may pre-establish or store a mapping relationship between the identity of the first terminal device and the identity of the second network subscriber (i.e., the identity of the first user), and then the authentication device in the second network may determine the identity of the second network subscriber (i.e., the identity of the first user) according to the identity of the first terminal device and the mapping relationship.
It should be understood that, in the embodiment of the present application, the mapping relationship between the identity of the first terminal device and the identity of the first user may also be understood as a mapping relationship between the first terminal device and the first user, that is, the first terminal device and the first user may be conceptually separated. For example, the first terminal device may be an entity device, and different terminal devices have their own identity identifiers, where the identity identifier of the first terminal device is used to identify the first terminal device; the first user may be an account or an account number, and different users have their own identity, and the identity of the first user is used to identify the first user.
On the other hand, it should be understood that, in the embodiment of the present application, the mapping relationship between the identity of the first terminal device and the identity of the first user may also be understood as a mapping relationship between a subscriber (with an operator of the first network) using the first terminal device in the first network and a subscriber (with an operator of the second network) using the first terminal device in the second network, that is, the mapping relationship between the first network and the second network using the first terminal device may be conceptually separated.
Optionally, the identity of the first terminal device and the identity of the first user may be in one-to-one mapping, or in many-to-one mapping, or in one-to-many mapping.
As an example, the identity of the first terminal device and the identity of the first user are in a one-to-one mapping relationship. In other words, the mapping between the identity of the first terminal device and the identity of the first user is one-to-one, that is, the identity of the first user can be uniquely determined according to the identity of the first terminal device. Thus, after the authentication device in the second network receives the identity of the first terminal device, the identity of the first user can be directly obtained by inquiring the pre-stored mapping relation.
As another example, the identity of the first terminal device and the identity of the first user are in a many-to-one mapping relationship. In other words, the mapping of the identity of the first terminal device to the identity of the first user is many-to-one, that is, the identities of a plurality of terminal devices may all be mapped to the identity of the first user, where the identities of the plurality of terminal devices include the identity of the first terminal device, but for any one terminal device in the plurality of terminal devices, the identity of the first user may be uniquely determined according to the identity of the one terminal device. Thus, after the authentication device in the second network receives the identity of the first terminal device, the identity of the first user can also be obtained directly by querying the mapping relation stored in advance.
As yet another example, the identity of the first terminal device and the identity of the first user are in a one-to-many mapping relationship. In other words, the mapping from the identity of the first terminal device to the identity of the first user is one-to-many, that is, the identity of the first terminal device may be mapped to the identities of multiple users, where the identities of the multiple users include the identity of the first user, and then for the first terminal device, the identities of the multiple users may be determined according to the identity of the first terminal device, and the identities of the multiple users are all the identities of the second network. Therefore, the identity of the first user also needs to be determined from the identities of the plurality of users.
Therefore, optionally, when the identity of the first terminal device corresponds to an identity of the second network for performing secondary authentication on multiple users, where the identities of the multiple users include an identity of the first user, the core network function entity may obtain a first indication, where the first indication is used to determine the identity of the first user in the identities of the multiple users, or may be understood as the first indication used to indicate the identity of the first user in the identities of the multiple users. It should be understood that the plurality of users correspond to the identifiers of the plurality of users one to one, that is, each user in the plurality of users corresponds to one identifier. For example, serial numbers may be pre-assigned to the identities of a plurality of users mapped to the same terminal device (i.e. the first terminal device), and the first indication may include a serial number corresponding to the identity of the first user, and the first indication needs to be sent in addition to the identity of the first terminal device. The identity of the first user for secondary authentication may be uniquely determined from the identities of the plurality of users based on the serial number of the identity of the first user in the first indication.
The core network functional entity may obtain the identity of the first terminal device and the first indication at the same time, for example, in step S310, obtain the identity of the first terminal device and the first indication at the same time; the core network functional entity may also separately obtain the identity of the first terminal device and the first indication, which is not specifically limited in this embodiment of the present application. When the identity of the first terminal device and the first indication are acquired separately, the first indication may also be used to indicate that the identity of the first terminal device corresponds to the first indication.
Correspondingly, the core network functional entity sends the first indication to the authentication device in the second network, and the authentication device in the second network can uniquely determine the identity of the first user according to the identity of the first terminal device and the first indication. Optionally, the core network functional entity may send the identity of the first terminal device and the first indication to the authentication device in the second network at the same time, or may separately develop the identity of the first terminal device and the first indication to the authentication device in the second network, which is not specifically limited in this embodiment of the application.
Optionally, when the identity of the first terminal device and the identity of the first user are in a one-to-many mapping relationship, because the identity of the first terminal device may be mapped to the identities of multiple users, the first terminal device may establish a mapping relationship between the identity of the first terminal device and an identity of a second network for performing secondary authentication on the first user, so that when the first terminal device sends the identity of the first terminal device to the core network functional entity, the identity of the first user needing authentication using the first terminal device may be specified, that is, the first terminal device may determine the first indication.
In step S340, the authentication device in the second network performs secondary authentication on the first user according to the identity of the first user.
In this step, the process of secondary authentication may be an EAP authentication procedure defined by the standard. For example, the authentication device in the second network performs EAP authentication method negotiation with the first terminal device, etc., and will not be described in detail here.
In step S320, the core network function entity sends a secondary authentication request to the authentication device in the second network, and accordingly, in step S340, the authentication device in the second network may send a secondary authentication response message to the core network function entity, where the secondary authentication response message is used to instruct the first terminal device and the second network to perform secondary authentication for the first user.
In the method for secondary authentication provided by the embodiment of the application, the core network functional entity sends the identity of the first terminal device to the authentication device in the second network, and the identity of the first terminal device is used for determining the identity of the second network for the secondary authentication of the first user, so that the core network functional entity does not need to directly send the identity of the first user for the secondary authentication to the authentication device in the second network. Further, in the prior art, the identity of the first user is requested to the first terminal device through the core network function entity, and the first terminal device sends the identity of the first user to the core network function entity in the request response.
It should be understood that the out-of-band transmission mode means that the transmission of the identity of the first terminal device is not in the secondary authentication procedure, i.e. not in the EAP procedure, and thus does not belong to an EAP message.
If the terminal devices all support the secondary authentication method provided in the embodiment of the present application, a secondary authentication process may be performed on the terminal device according to the secondary authentication method 300 shown in fig. 3. When part of the terminal devices do not support the method 300 of secondary authentication provided in the embodiment of the present application, another embodiment of the present application provides a method 400 of secondary authentication, which is described below with reference to fig. 4.
Fig. 4 shows a schematic flow chart of a method of secondary authentication according to another embodiment of the present application. The method 400 of fig. 4 may be performed by a first terminal device. The first terminal device may be, for example, the terminal device 100 shown in fig. 1 or the UE 210 shown in fig. 2. The method 400 may include steps S410 to S440 and steps S401 to S403.
Compared to the method 300, steps S410 to S440 in the method 400 are the same as steps S310 to S340 in the method 300, and are not repeated herein for brevity, and detailed descriptions of steps S401 to S403 are provided below.
In this embodiment of the present application, based on the smooth evolution of the communication system, two different terminal devices are allowed to exist in the system, one is an old terminal device (legacy UE), and the other is a new terminal device (new UE), where the old terminal device supports the existing secondary authentication process, and the new terminal device supports the secondary authentication method 300 shown in fig. 3, that is, the system is compatible with the new terminal device and the old terminal device at the same time.
For a new terminal device, in the embodiment of the present application, a first terminal device is taken as an example of the new terminal device, and when secondary authentication needs to be performed on the first terminal device, a core network functional entity initiates a secondary authentication process.
In step S401, the core network function entity sends a first message to the first terminal device.
The first message is used for requesting the identity of the first user from the first terminal equipment.
In step S402, the first terminal device sends a second message to the core network function entity.
The second message is used for indicating whether the first terminal equipment sends the identity of the first user. When the second message does not include the identity of the first user, the core network functional entity may perform secondary authentication on the first user according to the identity of the first terminal device. In other words, when the second message does not include the identity of the first user, the core network functional entity performs steps S410 to S440, that is, the core network functional entity obtains the identity of the first terminal device, and sends the identity of the first terminal device to the authentication device in the second network, so that the authentication device in the second network performs step S430, and determines the identity of the first user according to the identity of the first terminal device and the mapping relationship between the identity of the first terminal device and the identity of the second network for performing secondary authentication on the first user. Detailed description can refer to the related description of the secondary authentication method 300 of fig. 3, and is not repeated herein.
And under the condition that the first terminal equipment is the new terminal equipment, the second message indicates that the first terminal equipment does not send the identity of the first user in various ways.
For example, the second message may indicate that the first terminal device did not send the identity of the first user by not including the identity of the first user in the second message.
For another example, the second message may include Null information (Null information) indicating that the first terminal device does not send the identity of the first user, or indicating that the second message does not include the identity of the first user.
For another example, the second message may include an indicator that the first terminal device does not send the identity of the first user, or that the second message does not include the identity of the first user.
Accordingly, in step S403, the core network function entity sends a second message to the authentication device in the second network.
After receiving the second message, the authentication device in the second network may determine whether the second message includes the identity of the first user according to the second message. When the second message does not include the identity of the first user, the authentication device in the second network determines the identity of the first user according to the identity of the first terminal device received in step S420, so as to perform secondary authentication on the first user.
For the old-money terminal device, when performing the secondary authentication on the old-money terminal device, the authentication may be performed according to the existing secondary authentication procedure, that is, in step S402, the second message sent by the first terminal device to the core network function entity includes the identity of the first user, the core network function entity forwards the second message to the authentication device in the second network, and the authentication device in the second network may obtain the identity of the first user according to the second message, so that the secondary authentication may be directly performed on the first user according to the identity of the first user. For brevity, the detailed description of the specific process can refer to the related description of fig. 2, and is not repeated herein.
In the embodiment of the application, the secondary authentication process of the old terminal equipment can be the same as the existing process, the secondary authentication process of the new terminal equipment is partially optimized, i.e. assuming that the first terminal device is a new terminal device, the core network functional entity still needs to request the first terminal device for the identity of the first user, but the first terminal device may not send the identity of the first user to the core network function, the core network function entity may obtain the identity of the first terminal device, thus, the core network functional entity can perform secondary authentication for the first user according to the identity of the first terminal device, the identity of the first user is sent by an out-of-band implicit method, so that the safety protection of the identity of the first user is enhanced, the identity of the first user can be effectively protected, and meanwhile, the secondary authentication process of new terminal equipment and old terminal equipment can be compatible.
In the method 400 shown in fig. 4, when the first terminal device is a new terminal device, the first terminal device has a secondary authentication process optimization capability, that is, the security protection of the identity of the first user can be increased, the first terminal device notifies the core network function entity that the first terminal device has the secondary authentication process optimization capability in the secondary authentication process, and certainly, the first terminal device may notify the core network function entity that the first terminal device has the secondary authentication process optimization capability before the secondary authentication process.
FIG. 5 shows a schematic flow chart of a method of secondary authentication of another embodiment of the present application. The method 500 of fig. 5 may be performed by a first terminal device. The first terminal device may be, for example, the terminal device 100 shown in fig. 1 or the UE 210 shown in fig. 2. The method 500 may include steps S510 to S540 and step S501.
Steps S510 to S540 in the method 500 are the same as steps S310 to S340 in the method 300 and steps S410 to S440 in the method 400, and for brevity, detailed description is omitted here, and step S501 is described in detail below.
In this embodiment of the present application, based on the smooth evolution of the communication system, two different terminal devices are allowed to exist in the system, one is an old terminal device (legacy UE), and the other is a new terminal device (new UE), where the old terminal device supports the existing secondary authentication process, and the new terminal device supports the secondary authentication method 300 shown in fig. 3, that is, the system is compatible with the new terminal device and the old terminal device at the same time.
For a new terminal device, in the embodiment of the present application, taking a first terminal device as the new terminal device as an example, before performing secondary authentication on the first terminal device, the first terminal device notifies a core network functional entity that the core network functional entity has secondary authentication flow optimization capability.
That is, in step S501, the first terminal device sends the capability information of the first terminal device to the core network function entity.
The capability information of the first terminal device is used to indicate that the core network functional entity can perform secondary authentication on the first terminal device according to the identity of the first terminal device. In other words, the core network functional entity determines to perform steps S510 to S540 according to the capability information of the first terminal device without performing steps S401 and S402 in the similar method 400.
Optionally, the first terminal device may be carried in a registration request message for performing primary authentication between the first terminal device and the first network. Of course, the first terminal device may also be carried in any interactive message during the primary authentication process between the first terminal device and the first network or after the primary authentication is completed, and the implementation of the present application is not particularly limited. In other words, the sending of the capability information of the first terminal device is not in the secondary authentication procedure, i.e. not in the EAP procedure.
For the old terminal device, since the old terminal device does not have the flow optimization capability, the method 300 shown in fig. 3 is not supported, that is, the information about the flow optimization capability does not need to be sent to the core network functional entity.
In this embodiment of the application, a secondary authentication process of an old terminal device may be the same as an existing process, and a secondary authentication process of a new terminal device is optimized, that is, assuming that the first terminal device is the new terminal device, the core network function entity sends capability information of the first terminal device to the core network function before performing secondary authentication on the first terminal device, and the core network function entity may determine that the first terminal device is the new terminal device according to the capability information of the first terminal device, and may not request the identity of the first user from the first terminal device. The core network functional entity can obtain the identity of the first terminal equipment, and thus, the core network functional entity can perform secondary authentication on the first user according to the identity of the first terminal equipment, send the identity of the first user through out-of-band implicit mode, enhance the safety protection of the identity of the first user, protect the identity of the first user more efficiently and effectively, and be compatible with the secondary authentication process of new terminal equipment and old terminal equipment. Further, the secondary authentication method provided in the embodiment of the present application directly sends the identity of the first terminal device to the authentication device in the second network through the core network functional entity, which can save the message for requesting the identity of the first user from the first terminal device, thereby improving the efficiency of signaling and data interaction in the network, optimizing the secondary authentication process, optimizing network resources, and reducing the waste of network resources.
The second-level authentication process of the second network for the first user includes, in addition to the aforementioned process of requesting the identity of the first user, a process of performing authentication algorithm negotiation between the first terminal device and the authentication device in the second network. Since the EAP algorithm for the secondary authentication supports tens of authentication algorithms, the first terminal device and the authentication device in the second network need to negotiate to determine one authentication algorithm to complete the authentication process. The currently commonly used algorithm negotiation process is that an authentication server in a second network initiates an authentication algorithm negotiation process, and the first terminal device negotiates with an authentication device in the second network, which has the problems of long interaction process, more occupied network resources, long time and the like. The embodiment of the application provides a secondary authentication method, which can shorten the negotiation interaction flow of an authentication algorithm, reduce time delay and save network resources. As described in detail below in conjunction with fig. 6.
Fig. 6 shows a schematic flow chart of a method of secondary authentication of yet another embodiment of the present application. The method 600 of fig. 6 may be performed by a core network function entity. The core network function entity may be, for example, the AMF network function entity 137 or the SMF network function entity 138 shown in fig. 1. The method 600 may include steps S610 to S640, wherein the step S640 includes steps S641 to S643.
Compared to the method 300, steps S610 to S630 in the method 600 are the same as steps S310 to S330 in the method 300, and are not repeated herein for brevity, and detailed description is provided for steps S641 to S643 in step S640. It should be noted that, in some embodiments, steps S641 to S643 in the method 600 may also be executed in an existing secondary authentication flow, instead of executing steps S620 and S630 in the embodiment of the present application.
The step S640 includes steps S641 to S643.
In step S641, the core network functional entity selects a first authentication method for performing secondary authentication on the first user.
The first authentication method is an authentication method supported by both the first terminal device and the authentication device in the second network.
In step S642, the core network function entity sends the first authentication method to the authentication device in the second network.
In step S643, the authentication apparatus in the second network determines the first authentication method as the negotiated authentication method, and then performs authentication according to the first authentication method.
In the embodiment of the application, the core network function entity selects the authentication method supported by both the first terminal device and the authentication device in the second network, and sends the authentication method to the authentication device in the second network as the authentication method negotiated between the first terminal device and the authentication device in the second network, which is equivalent to that the core network function entity completes the negotiation process of the authentication algorithm without the negotiation between the first terminal device and the authentication device in the second network, so that the message interaction process can be shortened, the time delay is reduced, and the network resources are saved.
FIG. 7 shows a schematic flow chart diagram of a method of secondary authentication of yet another embodiment. The figure shows the process of selecting the first authentication method by the core network function entity.
Referring to fig. 7, the method 700 shown in fig. 7 may include steps S710 to S740, wherein the step S740 includes steps S741 to S744 c. Steps S710 to S730 are the same as steps S610 to S630 in the method 600, and for brevity, details are not described herein, and steps S741 to S744c in step S740 are described in detail below.
In step S741, the core network function entity obtains the first set of authentication methods and the second set of authentication methods.
The first set of authentication methods comprises authentication methods preferred by the first terminal device and the second set of authentication methods comprises authentication methods preferred by the authentication device in the second network.
The first set of authentication methods may be stored in the first terminal device and/or the core network functional entity; the second set of authentication methods may be stored in the core network functional entity and the authentication device in the second network.
In step S742a, the core network functional entity determines the first authentication method according to the first set of authentication methods and the second set of authentication methods, that is, the core network functional entity selects the first authentication method.
If the first authentication method set and the second authentication method set have an intersection, the core network functional entity may determine that the intersection of the first authentication method set and the second authentication method set is an authentication method that is preferred by both the first terminal device and the authentication device in the second network.
At step S743a, the core network function entity sends the first authentication method to the authentication device in the second network.
In step S744a, the authentication device in the second network performs authentication according to the first authentication method.
There are various ways of determining the first authentication method.
For example, in step S743a, the core network functional entity may select one authentication method as the first authentication method in the intersection of the first authentication method set and the second authentication method set, where the first authentication method may be any one authentication method in the intersection, or the highest-priority authentication method in the intersection, or the highest-ranking authentication method in the intersection.
For another example, in step S743a, the core network functional entity may select at least two authentication methods from an intersection of the first authentication method set and the second authentication method set, and send the at least two authentication methods to the authentication device in the second network, and accordingly, in step S744a, the authentication device in the second network may arbitrarily select one authentication method from the at least two authentication methods as the first authentication method, and perform authentication according to the first authentication method.
If there is no intersection between the first set of authentication methods and the second set of authentication methods, step S742a through step S744a may not be performed after step S741, and alternatively, step S743b through step S744b may be performed.
At step S743b, the core network function entity sends the first set of authentication methods to the authentication device in the second network.
In step S744b, the authentication device in the second network selects a second authentication method from the first set of authentication methods, and performs authentication according to the second authentication method.
The second authentication method is an authentication method supported by an authentication device in the second network.
That is, when there is no intersection between the first authentication method set and the second authentication method set, the core network function entity sends the authentication method preferred by the first terminal device (i.e., the first authentication method set) to the authentication device in the second network, and although the authentication method preferred by the first terminal device is not the authentication method preferred by the authentication device in the second network, the authentication method may be an authentication method supported by the authentication device in the second network, so that the authentication device in the second network may select one authentication method supported by the authentication device in the second network from the authentication methods preferred by the first terminal device as the second authentication method for the authentication procedure.
Optionally, in step S744b, the authentication device in the second network may also select a second authentication method from the second set of authentication methods, and perform authentication according to the second authentication method.
Since the authentication device in the second network knows its preferred authentication method (i.e., the second set of authentication methods), although the second set of authentication methods is not the preferred authentication method of the first terminal device, but may be the authentication methods supported by the first terminal device, the authentication device in the second network may select one authentication method supported by the first terminal device from the preferred authentication methods of the authentication device in the second network as the second authentication method for the authentication procedure.
If there is no intersection between the first set of authentication methods and the second set of authentication methods, step S742a through step S744a may not be performed after step S741, and alternatively, step S743c through step S744c may be performed.
At step S743c, the core network function sends a second indication to the authentication device in the second network.
The second indication is used for indicating the authentication device in the second network to perform authentication method negotiation with the first terminal device.
In step S744c, the authentication apparatus in the second network performs authentication method negotiation with the first terminal apparatus.
That is to say, when there is no intersection between the first authentication method set and the second authentication method set, the core network functional entity notifies the authentication device in the second network of performing authentication method negotiation with the first terminal device through the second indication.
Optionally, the first authentication method set may include an authentication method supported by the first terminal device, and/or the second authentication method set includes an authentication method supported by the authentication device in the second network, and corresponding procedures are similar to those described above and are not described again.
Referring to fig. 6, steps S641 to S643 in the method 600 may be executed before step S640 (which is equivalent to steps S641 to S643 executed before step S340 of the method 300), and optionally, steps S641 to S643 may also be executed before step S440 shown in the method 400, and may also be executed before step S540 shown in the method 500.
Similarly, referring to fig. 7, steps S741 to S744c in the method 700 may be executed before step S740 (which is equivalent to steps S741 to S744c executed before step S340 of the method 300), and optionally, steps S741 to S744c may also be executed before step S440 shown in the method 400 or before step S540 shown in the method 500.
Optionally, before performing step S741, the AMF may send a second set of authentication methods preferred by the network side to the UE, and after receiving the second set of authentication methods and EAP authentication methods supported by the UE, the UE may select a set of authentication methods (including one or more authentication methods) preferred by the UE and send the selected set of authentication methods to the AMF.
For example, the UE selects or determines a preferred authentication method according to the second set of authentication methods, that is, the preferred authentication method set of the UE includes an authentication method, and the preferred authentication method may be an authentication method supported or preferred by the UE and is also a preferred authentication method of the authentication device in the second network. The UE sends the preferred authentication method to the AMF, which may forward the preferred authentication method directly to the authentication device in the second network. The authentication device in the second network may use the one preferred authentication method as an authentication method negotiated by the authentication device in the second network and the first terminal device.
For another example, the UE selects or determines multiple preferred authentication methods according to the second set of authentication methods, that is, the set of preferred authentication methods of the UE includes multiple authentication methods, and the multiple preferred authentication methods may be supported or preferred by the UE and are also preferred by the authentication device in the second network. The UE transmits the plurality of preferred authentication methods to the AMF, and the AMF may select one authentication method from the plurality of preferred authentication methods to transmit to the authentication device in the second network. The authentication device in the second network may use one authentication method selected from the plurality of preferred authentication methods as the authentication method negotiated between the authentication device in the second network and the first terminal device.
In some embodiments, steps S641 to S643 in the method 600 may also be executed in an existing secondary authentication flow, instead of executing steps S620 and S630 in the embodiment of the present application; steps S741 to S744c in the method 700 may also be performed in the existing secondary authentication process, instead of performing steps S720 and S730 in the embodiment of the present application, the process is the same as that described above, and for brevity, no further description is given, and reference may be specifically made to the related description above.
Some specific non-limiting examples of embodiments of the present application are described in more detail below in conjunction with figures 8 through 11. In fig. 8 to 11, the first terminal device is taken as a UE, the core network functional entity is an AMF network functional entity (or AMF for short), the identity of the first terminal device is GPSI, the identity of the second network for performing secondary authentication on the first user is a user ID, the first network is an operator network, the second network is a data network, and the authentication device in the second network is an AAA-S (i.e. AAA server), and the secondary authentication mechanism is an EAP authentication mechanism, for example, it should be understood that the secondary authentication process shown in fig. 8 to 11 is only schematic, and the first terminal device, the core network functional entity, the identity of the first terminal device, the identity of the second network for performing secondary authentication on the first user, the authentication devices in the first network, the second network, and the second network may also be the situations mentioned in the foregoing description, and will not be described in detail herein.
Fig. 8 shows a schematic flow chart of a method of secondary authentication of yet another embodiment of the present application. Referring to fig. 8, the embodiment of the present application is directed to optimization of an initial EAP message (i.e., EAP request/response) in an EAP authentication mechanism, i.e., an ID request and an ID response are not sent in the EAP message, and it should be understood that the ID request and the ID response are referred to as a user ID request and a user ID response, respectively. The user ID information obtained by the AAA-S is obtained in the GPSI sent to the AAA-S by the AMF, and is not requested to the UE by the AMF. The method 800 includes steps S810 to S840, wherein the step S840 includes steps S841 to S847, and the detailed flow is shown in fig. 8.
At step S810, the UE sends a registration request for accessing the network to the AMF, and carries identity information, such as encrypted identity information SUCI.
It should be understood that the UE may be understood as one specific example of the first terminal device in the methods 300 to 700; the AMF may be understood as a specific example of the core network functional entity in the methods 300 to 700.
In step S820, primary authentication and NAS security protection are performed between the UE and the AMF.
Illustratively, the specific process may be as follows: and the AMF judges whether to initiate a primary authentication process between the network and the UE according to the identity information sent by the UE. For example, if the UE sends SUCI to the AMF, the AMF forwards SUCI to the UDM, decrypts SUCI by the UDM to recover the true identity SUPI of the UE, and then sends SUPI back to the AMF. The AMF initiates a primary authentication from SUPI.
After step S820, i.e. after the primary authentication is successful, the AMF authorizes the UE to access the network. And the AMF judges whether the UE needs further secondary authentication according to the information of the AMF local or the UDM.
At step S830, the AMF determines that the UE needs to perform secondary authentication.
In step S840, the AMF triggers a secondary authentication procedure between the UE and the DN (i.e., AAA-S) for secondary authentication.
In the secondary authentication process for the UE, step S840 may further include steps S841 to S847.
At step S841, the AMF sends the GPSI to the AAA server (AAA-S) located in the DN.
Optionally, the AMF sends a user ID indication to the AAA-S located at the DN. This user ID indication may be understood as the first indication described above.
Optionally, the AMF sends an authentication indication to the AAA-S located at the DN.
At step S842, the AAA-S determines that the message is an EAP authentication request message based on the received message type and/or authentication indication. The AAA-S obtains the user ID for secondary authentication according to the GPSI or the GPSI and the user ID indication. For example, the AAA-S pre-stores the correspondence between the GPSI (or including the user ID indication) and the user ID, and acquires the user ID required for secondary authentication according to the correspondence and the GPSI. The user ID may be understood as the identity of the first user as described above, and the GPSI may be understood as a specific example of the identity of the first terminal device as described above.
In step S843, the AAA-S initiates an EAP authentication procedure according to the acquired user ID for secondary authentication. AAA-S sends EAP request to AMF, and contains EAP authentication method selected by AAA-S, such as authentication method 1.
In step S844, the AMF receives the EAP request of the AAA-S, and forwards the EAP request message to the UE through the NAS message of the operator network.
In step S845, the UE replies an EAP response message to the AMF. If the UE agrees to adopt the authentication method 1, replying to agree to adopt the authentication method 1.
At step S846, the AMF forwards the EAP response message to the AAA-S. While the remaining required authentication steps, i.e. the position of the ellipses in the figure, continue to be performed between the AAA-S and the UE.
At step S847, if the authentication is successful, the AAA-S sends an EAP authentication success message to the AMF. While the AMF may proceed with other registration procedures.
It should be noted that the interaction between AAA-S and AMF may also be via proxy function AAA-F to perform proxy and relay.
It should be noted that step S841 is not included in the EAP flow, and is not a message of the EAP. The EAP message starts with step S843. Whereas with the conventional method, the first EAP message (i.e., EAP request (ID)) is sent from the AMF, i.e., before step S841, and the first message is sent from the AMF to the UE, requesting the UE to send its user ID (i.e., EAP response (ID)). In the embodiment of the application, the process of sending the user ID between the UE and the AAA-S (namely the EAP request (ID)/EAP response (ID) of the EAP authentication) is saved, and the AAA server acquires the user ID in an out-of-band (out-of-band) and implicit sending mode, which is equivalent to reusing the information interaction of the existing 3GPP network and reusing the interaction message between the existing 3GPP network and the AAA server to inform the AAA server of the user ID used by the UE in the secondary authentication, so that the problem that the user privacy is leaked when the user ID is sent is avoided, and meanwhile, the network resources are saved. Specifically, after the 3GPP network establishes a connection with the AAA server, the UE ID is sent to the AAA server instead of the user ID for the secondary authentication outside the EAP procedure before the secondary authentication of the UE (or during the secondary authentication procedure). If the mapping from the UE ID to the secondary authentication user ID is established in the AAA server, the AAA server can directly convert the UE ID into the user ID without using the interaction of EAP request and EAP response messages in an EAP flow to obtain the user ID, thereby saving network resources and efficiently ensuring the safety protection of the user ID.
Fig. 9 shows a schematic flow chart of a method of secondary authentication of yet another embodiment of the present application. Referring to fig. 9, the present embodiment is directed to optimizing an initial EAP message (i.e., EAP request/response) in an EAP authentication mechanism, in which a system allows 2 different UEs to exist: one is an old (legacy) UE, still using the original EAP method, and the other is a new (new) UE, a UE that allows optimization of the initial message of EAP. This assumption is mainly based on the smooth evolution of the system, i.e. compatibility between legacy UEs and New UEs. The method 900 includes steps S910 to S940, wherein the step S940 includes steps S941 to S949, and the specific flow is as follows.
Steps S910 to S930 are the same as steps S810 to S830 in the method 800, and the description thereof is omitted here, and the above description may be referred to for details.
After the AMF determines that the UE needs to perform the secondary authentication, in step S940, the AMF triggers a secondary authentication procedure between the UE and the DN to perform the secondary authentication. In performing the secondary authentication process on the UE, step S940 may further include steps S941 to S949.
In step S941, the AMF initiates an EAP authentication procedure, that is, sends an EAP request message to the UE to request the UE to send its user ID for secondary authentication, like the existing authentication method.
For the existing UE (i.e., the old UE), which still uses the existing authentication method, the UE returns an EAP response message to the AMF at step S942a and includes the user ID for secondary authentication in the message, which is forwarded by the AMF to the AAA-S at step S943 a. In step S944, the AAA-S directly obtains the user ID.
In step S942b, for the UE with optimization capability (i.e. the new UE), the UE does not include the user ID information in the EAP response message, or includes Null information or an indicator to indicate that the message does not include the user ID information. The message is forwarded to the AAA-S in step S943 b.
It should be noted that in the forwarding message of S943b, besides the EAP message, GPSI may be sent to the AAA-S at the same time, and the used user ID is indicated by the GPSI. In step S944, the AAA-S may translate the GPSI into a user ID, so that the remaining EAP authentication procedure may proceed.
Steps S945 to S949 are the same as steps S843 to S847 in the method 800, and the description thereof is omitted here, and the above description may be referred to for details.
In the embodiment of the present application, the secondary authentication procedure of the old UE is not improved, and in order to meet the requirement of the old UE, the EAP procedure of the new UE is partially optimized, that is: 2 initial messages of EAP still need to be sent, but the user ID is privacy protected.
FIG. 10 shows a schematic flow chart of a method of secondary authentication of yet another embodiment of the present application. Referring to fig. 10, the embodiment of the present application is directed to optimizing an initial EAP message (i.e., EAP request/response) in an EAP authentication mechanism, in which a system allows 2 different UEs to exist: one is an old (legacy) UE, still using the original EAP method, and the other is a new (new) UE, a UE that allows optimization of the initial message of EAP. This assumption is mainly based on the smooth evolution of the system, i.e. compatibility between legacy UEs and New UEs. The method 1000 includes steps S1010 to S1040, wherein the step S1040 includes steps S1041 to S1049, and the specific flow is as follows.
Steps S1010 to S1030 are similar to steps S810 to S830 in the method 800, and only differences are explained herein, and reference may be made to the above description for details.
Step S1010 is similar to step S810 of method 800, except that in this step the UE may include in the registration request message an indication of whether it has EAP flow optimization capability (i.e. there are no EAP request ID and EAP response ID messages in the EAP-initial-message-support). For legacy UEs, this message does not contain the capability indication.
Step S1030 is similar to step S830 in method 800, except that AMF may determine whether the UE has the capability to optimize EAP. If the UE belongs to legacy UE and does not have optimization capability, performing step S1041, step S1042 and step S1043 a; if the UE belongs to the new UE and has the optimization capability, step S1043b is performed.
Step S1041, step S1042 and step S1043a are similar to step S941, step S942a and step S943a in the method 900, respectively, and detailed descriptions thereof are omitted herein, and reference may be made to the above.
Steps S1043b and S1044 are similar to steps S943b and S944 in the method 900, and detailed description thereof is omitted here, and reference may be made to the above.
Steps S1045 to S1049 are the same as steps S945 to S949 in the method 900, and the description thereof is omitted here, and the above description may be referred to for details.
It should be noted that, in step S1010, the UE reports the indication information of the optimization capability, and may also include a message in another step to notify the AMF. For example, in step S1020, there may be multiple information interactions between the UE and the AMF, and the indication may also be included in any message to notify the AMF, which is not limited herein.
FIG. 11 shows a schematic flow chart of a method of secondary authentication of yet another embodiment of the present application. Referring to fig. 11, the present embodiment is an optimization for the EAP authentication algorithm negotiation flow. The embodiment mainly performs negotiation of the authentication algorithm by proxy through the operator network, thereby shortening the message interaction flow, reducing the time delay and saving the network resources. The method 1100 of the present embodiment includes steps S1110 to S1160, wherein the step S1150 includes steps S1151 to S1156, and the step S1160 includes steps S1161 to S1167, which includes the following specific procedures.
Steps S1110 to S1130 are similar to steps S810 to S830 in the method 800, and only the differences are explained herein, and reference may be made to the above description for details.
Step S1110 is similar to step S810 in method 800, except that the UE may now include its preferred EAP authentication method list ("UE preferred authentication method list") in the registration request message as well. The preferred authentication method may be different for each slice (i.e., S-NSSAI) or the preferred method may be the same for all S-NSSAIs.
Step S1130 is similar to step S830 in method 800, except that in this step the AMF needs to further query (query the AMF itself or query the UDM) the AAA-S preferred authentication method list ("DN preferred authentication method list") corresponding to the UE. And comparing whether the 2 lists have intersection or not so as to determine an EAP authentication method which is preferred by both sides. If there is more than one method, then the top method is selected or the method with the highest priority is selected.
The "UE preferred authentication method list" may be understood as the first set of authentication methods described above and the "DN preferred authentication method list" may be understood as the second set of authentication methods described above.
In step S1140, if a preferred authentication method (which can be understood as the first authentication method described above) is determined in step S1130, the specific steps in step S1150 are performed. If the preferred authentication method cannot be determined in step S1130, the specific steps in step S1160 are performed.
Step S1150 may include steps S1151 to S1156, and step S1150 may be an existing EAP flow based on an authentication method "authentication method 2", and is not described in detail herein.
Step S1160 may include steps S1161 to S1167, where step S1160 is an EAP flow in which an authentication method is negotiated first and then authentication is performed. Except that the AMF sends the preferred authentication method list of the UE to the AAA-S at step S1163 so that the AAA-S may first check whether there are methods supported by the AAA-S in the preferred list. If supported, one of the methods may be selected as the negotiated authentication method. Otherwise, all the methods in the list are excluded and the selection of the authentication algorithm is started in step S1164.
It should be noted that the authentication algorithm may continue to select the methods in the AAA-S preference list because they may belong to methods that the UE can support, although not belonging to the UE' S preferences. In addition, the AAA-S may exclude all methods in the AAA-S preference list, and only select other methods supported by the AAA-S outside the list to negotiate with the UE, which is not specifically limited in the embodiment of the present application.
It should be noted that, in step S1110, the UE reports "UE preferred authentication method list" and may also include notifying AMF in a message of another step. For example, in step S1120, there are multiple pieces of information exchanged between the UE and the AMF, and the indication may also be included in any one of the messages to notify the AMF, which is not limited herein.
The method 1100 in the embodiments of the present application may be used in conjunction with the methods 800, 900, and 1000, respectively.
Fig. 12 is a schematic flow chart diagram illustrating a method of secondary authentication in accordance with yet another embodiment of the present application. Referring to fig. 12, the present embodiment is an optimization for the EAP authentication algorithm negotiation procedure. The method 1200 of the embodiment of the application includes steps S1210 to S1260, where the step S1260 includes steps S1261 to S1264, and the specific flow is as follows.
In step S1210, primary authentication is performed for the UE (which may be understood as the aforementioned first terminal device).
At step S1220, the AMF determines that the UE needs to perform secondary authentication.
In step S1230, the AMF sends the slice requiring secondary authentication to the UE, i.e., in this step, the AMF informs the UE which slices require slice authentication.
Optionally, in step S1230, the AMF may also send a set of authentication methods (which may be understood as the second set of authentication methods described above) preferred by the AAA server to the UE. Before step S1230, the AMF may request the AAA server for the preferred authentication method set of the AAA server, or may directly obtain the preferred authentication method set of the AAA server from another network functional entity, for example, the UDM, which is not limited in this embodiment of the present application.
In the registration request, the UE sends a UE preferred set of authentication methods, which may include one or more authentication methods, to the AMF at step S1240. Unlike the method 1100, in the embodiment of the present application, the UE sends its preferred set of authentication methods to the AMF after the primary authentication before the slice authentication (EAP flow), and in the method 1100, the UE sends its preferred set of authentication methods to the AMF before (or during) the primary authentication.
For example, in step S1230, the AMF does not send the AAA server-preferred set of authentication methods to the UE, and the UE-preferred set of authentication methods sent by the UE to the MAF in step S1240 may be the UE-default preferred set of authentication methods.
For another example, in step S1230, the AMF sends the UE the set of AAA server-preferred authentication methods, and in step S1240, the set of UE-preferred authentication methods sent by the UE to the AMF may be determined according to the set of AAA server-preferred authentication methods. For example, the UE may determine or select a UE preferred set of authentication methods from among AAA server preferred sets of authentication methods.
In step S1250, the AMF determines an authentication method.
In step S1260, the AMF triggers a secondary authentication procedure between the UE and the AAA server to perform secondary authentication.
Step S1260 may include steps S1261 to S1264, wherein steps S1261 and S1262 are optional steps, and the procedure thereof may refer to the related descriptions of the EAP request and EAP response in the existing flow or the aforementioned methods 300 to 1100.
In step S1263, the AMF transmits the authentication method determined in step S1250, for example, the authentication method 1, to the AAA server, and the AAA server may determine the authentication method determined in step S1250 as an authentication method negotiated by the AAA server and the UE, and then proceed with the next procedure.
In step S1250, taking the authentication method determined by the AMF as the authentication method 1 as an example, the AMF may determine the authentication method in various ways.
As an example, if the AMF sends the AAA server-preferred set of authentication methods to the UE in step S1230, the UE may select or determine one authentication method that is supported or preferred by the UE, for example, authentication method 1, from the AAA server-preferred set of authentication methods to send to the AMF in step S1240. In step S1250, the AMF may directly forward the one authentication method determined by the UE to the AAA server, and the AAA server determines the one authentication method determined by the UE as an authentication method negotiated by the AAA server and the UE.
Alternatively, if the AMF sends the AAA server-preferred authentication method set to the UE in step S1230, the UE may select or determine a plurality of UE-supported or preferred authentication methods from the AAA server-preferred authentication method set to send to the AMF in step S1240. In step S1250, the AMF may directly determine one authentication method from the plurality of authentication methods determined by the UE for secondary authentication, and forward the one authentication method determined by the AMF to the AAA server, and the AAA server determines the one authentication method determined by the AMF as an authentication method negotiated by the AAA server and the UE.
As another example, if the AMF does not send the AAA server-preferred set of authentication methods to the UE in step S1230, the UE may send the UE-preferred or supported set of authentication methods to the AMF in step S1240. In step S1250, the AMF may determine one authentication method to be used for secondary authentication according to the set of authentication methods preferred or supported by the UE and the set of authentication methods preferred or supported by the AAA server, and send the one authentication method determined by the AMF to the AAA server, and the AAA server determines the one authentication method determined by the AMF as the authentication method negotiated by the AAA server and the UE.
The method 1200 in the embodiments of the present application may be used in conjunction with the methods 800, 900, and 1000, respectively.
The embodiment of the application mainly comprises the steps that the terminal equipment sends the preferred authentication method set of the terminal equipment to a core network functional entity before an EAP flow of slice authentication, and the negotiation of an authentication algorithm is completed by proxy through an operator network, so that the message interaction flow is shortened, the time delay is reduced, and the network resources are saved.
The embodiment of the application does not change the EAP flow defined by IETF standard. In the standard EAP flow, the EAP request/ID and EAP response/ID, and the EAP negotiation flow are optional steps. The embodiment of the application avoids these optional steps through information interaction in the operator network.
Method embodiments of the present application are described above in detail in conjunction with fig. 1-12, and apparatus embodiments of the present application are described in detail below in conjunction with fig. 13-18. It is to be understood that the description of the method embodiments corresponds to the description of the apparatus embodiments, and therefore reference may be made to the preceding method embodiments for parts not described in detail.
Fig. 13 is a schematic structural diagram of an apparatus provided in an embodiment of the present application. The apparatus 1300 in fig. 13 may be the core network function entity in the foregoing, for example, may be a specific example of the AMF network function entity 137 or the UDM network function entity 134 in fig. 1. The apparatus shown in fig. 13 may be used to perform the methods of fig. 3-12, and the description will not be repeated to avoid redundancy.
The communications apparatus 1300 shown in fig. 13 may include an acquisition module 1310 and a transmission module 1320.
The obtaining module 1310 is configured to obtain an identity of a first terminal device, where the identity of the first terminal device is an identifier of a first network.
The sending module 1320 is configured to send the identity of the first terminal device to an authentication device in a second network, where the identity of the first terminal device is used to determine an identity of the second network for performing secondary authentication on a first user, and the identity of the first user is different from the identity of the first terminal device.
Optionally, the sending module 1320 is specifically configured to send a secondary authentication request to the authentication device in the second network, where the secondary authentication request includes the identity of the first terminal device but does not include the identity of the first user.
Optionally, the apparatus 1300 may further include a receiving module 1330 configured to receive a secondary authentication response message sent by the authentication device in the second network, where the secondary authentication response message is used to instruct the first terminal device to perform secondary authentication with the second network for the first user.
Optionally, the sending module 1320 is configured to send a first message to the first terminal device, where the first message is used to request the identity of the first user.
Optionally, the receiving module 1330 is configured to receive a second message sent by the first terminal device; when the second message does not include the identity of the first user, the receiving module 1330 is configured to perform secondary authentication on the first user according to the identity of the first terminal device.
Optionally, before performing secondary authentication on the first user, the obtaining module 1310 is configured to obtain capability information of the first terminal device, where the capability information of the first terminal device is used to indicate that the core network function entity may perform secondary authentication on the first user according to the identity of the first terminal device.
Optionally, the capability information of the first terminal device is carried in a registration request message in a primary authentication process between the first terminal device and the first network.
Optionally, the identity of the first terminal device corresponds to an identity of the second network for performing secondary authentication on multiple users, where the identities of the multiple users include an identity of the first user, and the obtaining module 1310 is configured to obtain a first indication, where the first indication is used to determine the identity of the first user in the identities of the multiple users.
Optionally, the apparatus 1300 may further include a selection module. The selection module is used for selecting a first authentication method for the secondary authentication, wherein the first authentication method is supported by both the first terminal device and the authentication device in the second network.
Optionally, the selecting module is specifically configured to obtain a first authentication method set and a second authentication method set, where the first authentication method set includes an authentication method preferred by the first terminal device, and the second authentication method set includes an authentication method preferred by an authentication device in the second network; the selecting module is specifically configured to determine the first authentication method according to the first authentication method set and the second authentication method set, where the first authentication method is a preferable authentication method for both the first terminal device and the authentication device in the second network; the sending module 1320 is specifically configured to send the first authentication method to an authentication device in the second network.
Optionally, the second set of authentication methods is stored in the core network function entity, and/or the first set of authentication methods is stored in the first terminal device and/or the core network function entity.
Optionally, the obtaining module 1310 is configured to obtain a first set of authentication methods and a second set of authentication methods, where the first set of authentication methods includes authentication methods preferred by the first terminal device, and the second set of authentication methods includes authentication methods preferred by authentication devices in the second network; when the first authentication method set and the second authentication method set do not intersect with each other, the sending module 1320 is configured to send the first authentication method set or a second indication to the authentication device in the second network, where the second indication is used to indicate the authentication device in the second network to perform authentication method negotiation with the first terminal device.
Fig. 14 is a schematic structural diagram of a communication device provided in an embodiment of the present application. The communication apparatus 1400 shown in fig. 14 may correspond to the core network functional entity described above. The communication apparatus 1400 includes: a processor 1402. In an embodiment of the present application, the processor 1402 is configured to control and manage an action of the core network functional entity, for example, the processor 1402 is configured to support the core network functional entity to perform the method or the operation or the function shown in fig. 3 to 11 in the foregoing embodiments. Optionally, the core network functional entity may further include: a memory 1401 and a communication interface 1403; the processor 1402, the communication interface 1403, and the memory 1401 may be connected to each other or to each other through a bus 1404. Wherein the communication interface 1403 is used for supporting the communication of the core network functional entities, and the memory 1401 is used for storing the program codes and data of the network device. The processor 1402 calls the code stored in the memory 1401 for control management. The memory 1401 may or may not be coupled to the processor.
Processor 1402 may be, among other things, a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, transistor logic, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a digital signal processor and a microprocessor, or the like. The communication interface 1403 may be a transceiver, circuit, bus, module, or other type of communication interface. The bus 1404 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
Fig. 15 is a schematic structural diagram of an apparatus provided in an embodiment of the present application. The apparatus 1500 in fig. 15 may be the authentication device in the second network in the foregoing, and may be a specific example of the AAA server 221 in fig. 2. The apparatus shown in fig. 15 may be used to perform the methods of fig. 3-12, and the description will not be repeated to avoid redundancy.
The communications apparatus 1500 shown in fig. 15 may include a receiving module 1510, a determining module 1520, and an authenticating module 1530.
The receiving module 1510 is configured to receive an identity of a first terminal device sent by a core network function entity, where the identity of the first terminal device is an identity of a first network.
The determining module 1520 is configured to determine the identity of the first user according to the identity of the first terminal device and a mapping relationship between the identity of the first terminal device and an identity of a second network that performs secondary authentication on the first user, where the identity of the first user is different from the identity of the first terminal device.
The authentication module 1530 is configured to perform secondary authentication on the first user according to the identity of the first user.
Optionally, the receiving module 1510 is specifically configured to receive a secondary authentication request sent by the core network function entity, where the secondary authentication request includes the identity of the first terminal device but does not include the identity of the first user.
The authentication module 1530 is specifically configured to send a secondary authentication response message to the core network functional entity, where the secondary authentication response message is used to instruct the first terminal device and the second network to perform secondary authentication on the first user.
Optionally, the identity of the first terminal device corresponds to an identity of the second network for performing secondary authentication on multiple users, where the identities of the multiple users include an identity of the first user, and the receiving module 1510 is configured to receive a first indication sent by a core network function entity, where the first indication is used to determine the identity of the first user in the identities of the multiple users.
Optionally, the receiving module 1510 is configured to receive a first authentication method sent by a core network function entity, where the first authentication method is an authentication method supported by both the first terminal device and an authentication device in the second network.
Optionally, the authentication module 1530 is configured to perform a secondary authentication of the first user according to the first authentication method.
Optionally, the receiving module 1510 is configured to receive a first set of authentication methods sent by a core network function entity, where the first set of authentication methods includes an authentication method preferred by the first terminal device.
Optionally, the receiving module 1510 is configured to select a second authentication method from the first set of authentication methods, where the second authentication method is an authentication method supported by an authentication device in the second network.
Optionally, the authentication module 1530 is configured to perform a secondary authentication on the first user according to the second authentication method.
Optionally, the receiving module 1510 is configured to receive a second instruction sent by a core network function entity, where the second instruction is used to instruct an authentication device in the second network to perform authentication method negotiation with the first terminal device.
Fig. 16 is a schematic structural diagram of a communication device provided in an embodiment of the present application. The communication apparatus 1600 shown in fig. 16 may correspond to the authentication device in the second network described earlier. The communication apparatus 1600 includes: a processor 1602. In an embodiment of the present application, the processor 1602 is configured to control and manage an action of the authentication device in the second network, for example, the processor 1602 is configured to support the authentication device in the second network to perform the method or the operations or functions shown in fig. 3 to 11 in the foregoing embodiments. Optionally, the authentication device in the second network may further include: a memory 1601 and a communication interface 1603; the processor 1602, communication interface 1603, and memory 1601 may be interconnected or interconnected via a bus 1604. Wherein, the communication interface 1603 is used for supporting the authentication device in the second network to communicate, and the memory 1601 is used for storing the program codes and data of the network devices. The processor 1602 calls the code stored in the memory 1601 for control management. The memory 1601 may or may not be coupled to the processor.
The processor 1602 may be, among other things, a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, transistor logic, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a digital signal processor and a microprocessor, or the like. Communication interface 1603 may be a transceiver, circuit, bus, module, or other type of communication interface. The bus 1604 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 16, but this is not intended to represent only one bus or type of bus.
Fig. 17 is a schematic structural diagram of an apparatus provided in an embodiment of the present application. Apparatus 1700 in fig. 17 may be the first terminal device in the foregoing, and may be, for example, terminal device 110 in fig. 1 or a specific example of UE 210 in fig. 2. The apparatus shown in fig. 17 may be used to perform the methods of fig. 3-12, and the description will not be repeated to avoid redundancy.
The apparatus 1700 shown in fig. 17 may include a setup module 1710 and a sending module 1720.
The establishing module 1710 is configured to establish a mapping relationship between an identity of a first terminal device and an identity of a second network that performs secondary authentication on a first user, where the identity of the first terminal device is an identity of the first network.
The sending module 1720 is configured to send the identity of the first terminal device to a core network function entity, or send the identity of the first terminal device and a first indication to the core network function entity, where the first indication is used to determine the identity of the first user in the identities of the second network for performing secondary authentication on multiple users.
Optionally, the sending module 1720 is configured to send, before performing secondary authentication on the first user, capability information of the first terminal device to the core network function entity, where the capability information of the first terminal device is used to indicate that the core network function entity may perform secondary authentication on the first user according to an identity of the first terminal device.
Optionally, the sending module 1720 is configured to send a first set of authentication methods to the core network function entity, where the first set of authentication methods includes an authentication method preferred by the first terminal device.
Fig. 18 is a schematic configuration diagram of a communication device according to an embodiment of the present application. The communication means 1800 shown in fig. 18 may correspond to the first terminal device described earlier. The communication apparatus 1800 includes: a processor 1802. In the embodiment of the present application, the processor 1802 is configured to control and manage the action of the first terminal device, for example, the processor 1802 is configured to support the first terminal device to execute the method or the operation or the function shown in fig. 3 to 11 in the foregoing embodiments. Optionally, the first terminal device may further include: a memory 1801 and a communication interface 1803; the processor 1802, communication interface 1803, and memory 1801 may be interconnected or interconnected through a bus 1804. The communication interface 1803 is used to support the first terminal device to perform communication, and the memory 1801 is used to store program codes and data of the network device. The processor 1802 calls the code stored in the memory 1801 to perform control management. The memory 1801 may or may not be coupled to the processor.
The processor 1802 may be, among other things, a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, transistor logic, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors in combination, a digital signal processor in combination with a microprocessor, and so forth. The communication interface 1803 may be a transceiver, circuit, bus, module, or other type of communication interface. The bus 1804 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 18, but this does not mean only one bus or one type of bus.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (24)

1. A method of secondary authentication, comprising:
a core network functional entity acquires an identity of a first terminal device, wherein the identity of the first terminal device is an identity of a first network performing primary authentication on the first terminal device or an identity having a corresponding relationship with an identity of the first network performing primary authentication on the first terminal device;
and the core network functional entity sends the identity of the first terminal device to authentication equipment in a second network, wherein the identity of the first terminal device is used for determining the identity of the second network for performing secondary authentication on the first user, and the identity of the first user is different from the identity of the first terminal device.
2. The method of claim 1, wherein the sending, by the core network function entity, the identity of the first terminal device to an authentication device in a second network comprises:
the core network functional entity sends a secondary authentication request to the authentication equipment in the second network, wherein the secondary authentication request comprises the identity of the first terminal equipment but does not comprise the identity of the first user; and the number of the first and second groups,
the method further comprises the following steps:
and the core network functional entity receives a secondary authentication response message sent by the authentication equipment in the second network, wherein the secondary authentication response message is used for indicating the first terminal equipment and the second network to carry out secondary authentication on the first user.
3. The method of claim 1, further comprising:
the core network functional entity sends a first message to the first terminal device, wherein the first message is used for requesting the identity of the first user;
the core network functional entity receives a second message sent by the first terminal equipment;
and when the second message does not comprise the identity of the first user, the core network functional entity performs secondary authentication on the first user according to the identity of the first terminal equipment.
4. The method of claim 1, further comprising:
before performing secondary authentication on the first user, the core network functional entity obtains capability information of the first terminal device, where the capability information of the first terminal device is used to indicate that the core network functional entity can perform secondary authentication on the first user according to the identity of the first terminal device.
5. The method of claim 4, wherein the capability information of the first terminal device is carried in a registration request message during a primary authentication process between the first terminal device and the first network.
6. The method according to any one of claims 1 to 5, wherein the identity of the first terminal device corresponds to an identity of the second network for performing secondary authentication on a plurality of users, the identities of the plurality of users comprising the identity of the first user, the method further comprising:
and the core network functional entity acquires a first indication, wherein the first indication is used for determining the identity of the first user in the identities of the plurality of users.
7. The method of any one of claims 1 to 5, further comprising:
and the core network functional entity selects a first authentication method for the secondary authentication, wherein the first authentication method is supported by both the first terminal equipment and the authentication equipment in the second network.
8. The method according to claim 7, wherein the core network function entity selects a first authentication method for the secondary authentication, comprising:
the core network functional entity acquires a first authentication method set and a second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment, and the second authentication method set comprises an authentication method preferred by the authentication equipment in the second network;
the core network functional entity determines the first authentication method according to the first authentication method set and the second authentication method set, wherein the first authentication method is an authentication method which is preferred by both the first terminal device and the authentication device in the second network;
and the core network functional entity sends the first authentication method to the authentication equipment in the second network.
9. The method according to claim 8, wherein a second set of authentication methods is stored in the core network function entity and/or wherein the first set of authentication methods is stored in the first terminal device and/or the core network function entity.
10. The method of any one of claims 1 to 5, further comprising:
the core network functional entity acquires a first authentication method set and a second authentication method set, wherein the first authentication method set comprises an authentication method preferred by the first terminal equipment, and the second authentication method set comprises an authentication method preferred by the authentication equipment in the second network;
when the first authentication method set and the second authentication method set do not intersect, the core network functional entity sends the first authentication method set or a second indication to the authentication device in the second network, wherein the second indication is used for indicating the authentication device in the second network to perform authentication method negotiation with the first terminal device.
11. A method of secondary authentication, comprising:
receiving an identity of a first terminal device sent by a core network functional entity, wherein the identity of the first terminal device is an identity of a first network performing primary authentication on the first terminal device or an identity having a corresponding relationship with an identity of the first network performing primary authentication on the first terminal device;
determining the identity of a first user according to the identity of the first terminal equipment and the mapping relation between the identity of the first terminal equipment and the identity of a second network for performing secondary authentication on the first user, wherein the identity of the first user is different from the identity of the first terminal equipment;
and performing secondary authentication on the first user according to the identity of the first user.
12. The method according to claim 11, wherein the receiving the identity of the first terminal device sent by the core network function entity comprises:
receiving a secondary authentication request sent by the core network functional entity, wherein the secondary authentication request includes the identity of the first terminal device but not the identity of the first user;
the performing secondary authentication on the first user according to the identity of the first user comprises:
and sending a secondary authentication response message to the core network functional entity, wherein the secondary authentication response message is used for indicating the first terminal equipment and the second network to perform secondary authentication on the first user.
13. The method of claim 11, wherein the identity of the first terminal device corresponds to an identity of the second network for performing secondary authentication on multiple users, and the identities of the multiple users include an identity of the first user, and the method further comprises:
receiving a first indication sent by a core network function entity, wherein the first indication is used for determining the identity of the first user in the identities of the plurality of users.
14. The method of any of claims 11 to 13, further comprising:
receiving a first authentication method sent by a core network functional entity, wherein the first authentication method is supported by both the first terminal device and authentication devices in the second network;
and performing secondary authentication on the first user according to the first authentication method.
15. The method of any of claims 11 to 13, further comprising:
receiving a first authentication method set sent by a core network function entity, wherein the first authentication method set comprises authentication methods preferred by the first terminal equipment;
selecting a second authentication method from the first authentication method set, wherein the second authentication method is an authentication method supported by authentication equipment in the second network;
and performing secondary authentication on the first user according to the second authentication method.
16. The method of any of claims 11 to 13, further comprising:
and receiving a second instruction sent by a core network function entity, wherein the second instruction is used for instructing the authentication equipment in the second network to perform authentication method negotiation with the first terminal equipment.
17. A method of secondary authentication, comprising:
establishing a mapping relation between an identity of a first terminal device and an identity of a second network for performing secondary authentication on a first user, wherein the identity of the first terminal device is an identity of the first network for performing primary authentication on the first terminal device or an identity having a corresponding relation with the identity of the first network for performing primary authentication on the first terminal device;
and sending the identity of the first terminal device to a core network functional entity, or sending the identity of the first terminal device and a first indication to the core network functional entity, wherein the first indication is used for determining the identity of the first user in the identity of the second network for performing secondary authentication on a plurality of users.
18. The method of claim 17, further comprising:
before performing secondary authentication on the first user, sending capability information of the first terminal device to the core network function entity, where the capability information of the first terminal device is used to indicate that the core network function entity can perform secondary authentication on the first user according to the identity of the first terminal device.
19. The method of claim 17 or 18, further comprising:
and sending a first authentication method set to the core network function entity, wherein the first authentication method set comprises the authentication methods preferred by the first terminal equipment.
20. An apparatus comprising means for performing the method of any one of claims 1 to 10.
21. An apparatus comprising means for performing the method of any of claims 11 to 16.
22. An apparatus comprising means for performing the method of any of claims 17-19.
23. An apparatus comprising a processor, coupled to a memory, that executes instructions in the memory to implement the method of any of claims 1-19.
24. A computer-readable storage medium having stored thereon computer-executable instructions configured to perform the method of any one of claims 1 to 19.
CN201910522598.3A 2019-06-17 2019-06-17 Secondary authentication method and device Active CN112105015B (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN202210997886.6A CN115835218A (en) 2019-06-17 2019-06-17 Secondary authentication method and device
CN201910522598.3A CN112105015B (en) 2019-06-17 2019-06-17 Secondary authentication method and device
EP20827832.5A EP3955613A4 (en) 2019-06-17 2020-05-07 Secondary authentication method and apparatus
PCT/CN2020/088907 WO2020253408A1 (en) 2019-06-17 2020-05-07 Secondary authentication method and apparatus
US17/532,757 US20220086145A1 (en) 2019-06-17 2021-11-22 Secondary Authentication Method And Apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910522598.3A CN112105015B (en) 2019-06-17 2019-06-17 Secondary authentication method and device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202210997886.6A Division CN115835218A (en) 2019-06-17 2019-06-17 Secondary authentication method and device

Publications (2)

Publication Number Publication Date
CN112105015A CN112105015A (en) 2020-12-18
CN112105015B true CN112105015B (en) 2022-08-26

Family

ID=73748913

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910522598.3A Active CN112105015B (en) 2019-06-17 2019-06-17 Secondary authentication method and device
CN202210997886.6A Pending CN115835218A (en) 2019-06-17 2019-06-17 Secondary authentication method and device

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202210997886.6A Pending CN115835218A (en) 2019-06-17 2019-06-17 Secondary authentication method and device

Country Status (4)

Country Link
US (1) US20220086145A1 (en)
EP (1) EP3955613A4 (en)
CN (2) CN112105015B (en)
WO (1) WO2020253408A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210092103A1 (en) * 2018-10-02 2021-03-25 Arista Networks, Inc. In-line encryption of network data
CN114223232A (en) 2019-08-15 2022-03-22 华为技术有限公司 Communication method and related equipment
CN113076531A (en) * 2021-02-18 2021-07-06 深圳供电局有限公司 Identity authentication method and device, computer equipment and storage medium
CN114980090A (en) * 2021-02-19 2022-08-30 中国电信股份有限公司 Secondary authentication method, network element and system, computer device and storage medium
CN114980094A (en) * 2021-02-21 2022-08-30 华为技术有限公司 Communication method and communication device
CN113449286B (en) * 2021-07-08 2024-03-26 深圳职业技术学院 Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101754219A (en) * 2009-12-28 2010-06-23 中国人民解放军信息工程大学 Identification distribution and separate-storage method, identification replacing transmission method and system

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9838365B2 (en) * 2007-07-10 2017-12-05 Qualcomm Incorporated Peer to peer identifiers
CN101626369B (en) * 2008-07-11 2012-07-25 中国移动通信集团公司 Method, device and system for single sign-on
CN102143136B (en) * 2010-08-20 2013-12-04 华为技术有限公司 Method for accessing service wholesale network, equipment, server and system
CN107809776B (en) * 2016-09-09 2021-06-15 中兴通讯股份有限公司 Information processing method, device and network system
CN108012267B (en) * 2016-10-31 2022-05-24 华为技术有限公司 Network authentication method, related equipment and system
CN108347729B (en) * 2017-01-24 2019-08-02 电信科学技术研究院 Network is sliced interior method for authenticating, slice authentication agent entity and session management entity
WO2018199649A1 (en) * 2017-04-27 2018-11-01 Samsung Electronics Co., Ltd. Method and apparatus for registration type addition for service negotiation
CN109104726A (en) * 2017-06-20 2018-12-28 上海中兴软件有限责任公司 The authentication method and related device, system and medium of network slice
CN109511115B (en) * 2017-09-14 2020-09-29 华为技术有限公司 Authorization method and network element
US11006316B2 (en) * 2017-10-16 2021-05-11 Ofinno, Llc Header compression for ethernet frame
CN108200007B (en) * 2017-11-24 2021-02-02 中国科学院信息工程研究所 Dynamic identity management method and system for mobile network
US10986602B2 (en) * 2018-02-09 2021-04-20 Intel Corporation Technologies to authorize user equipment use of local area data network features and control the size of local area data network information in access and mobility management function
CN108833181B (en) * 2018-06-25 2020-10-30 北京邮电大学 NG-CN network slice system and network slice selection method
CN110493273B (en) * 2018-06-28 2021-03-16 腾讯科技(深圳)有限公司 Identity authentication data processing method and device, computer equipment and storage medium
CN108901018B (en) * 2018-07-27 2021-02-12 中国电子科技集团公司第三十研究所 Method for hiding user identity of mobile communication system initiated by terminal
CN109150864B (en) * 2018-08-03 2021-07-20 中国联合网络通信集团有限公司 Anti-cheating method and device based on secondary authentication

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101754219A (en) * 2009-12-28 2010-06-23 中国人民解放军信息工程大学 Identification distribution and separate-storage method, identification replacing transmission method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3rd Generation Partnership Project."Technical Specification Group Services and System Aspects *
Security Aspects ; Study on Security Aspects of Enhanced Network Slicing(Release 16)".《3GPP TR 33.813 V0.4.0》.2019,全文. *

Also Published As

Publication number Publication date
EP3955613A4 (en) 2022-09-28
CN115835218A (en) 2023-03-21
US20220086145A1 (en) 2022-03-17
WO2020253408A1 (en) 2020-12-24
CN112105015A (en) 2020-12-18
EP3955613A1 (en) 2022-02-16

Similar Documents

Publication Publication Date Title
CN112105015B (en) Secondary authentication method and device
KR102466422B1 (en) Systems and method for security protection of nas messages
US11871223B2 (en) Authentication method and apparatus and device
US11570617B2 (en) Communication method and communications apparatus
US12058139B2 (en) Method for implementing user plane security policy, apparatus, and system
CN114025352A (en) Authentication method and device for terminal equipment
CN113676904B (en) Slice authentication method and device
CN116746181A (en) Method for generating key identifier and related device
CN114600487B (en) Identity authentication method and communication device
US20220264435A1 (en) Access control method and communications apparatus
CN112019489B (en) Verification method and device
EP4262258A1 (en) Method and apparatus for generating security context, and computer-readable storage medium
EP4262149A1 (en) Method and apparatus for authenticating user equipment in wireless communication system
CN114208240B (en) Data transmission method, device and system
CN113904781B (en) Slice authentication method and system
EP4156741A1 (en) Slice service verification method and apparatus
WO2023213191A1 (en) Security protection method and communication apparatus
CN116709168A (en) Communication method and device
CN118488604A (en) Communication method and communication device
CN117062051A (en) Key management method and communication device
CN117641358A (en) Communication method and communication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant